feat: complete RAG runbook workflow and release docs
Some checks failed
CI / test (push) Failing after 15s
Some checks failed
CI / test (push) Failing after 15s
This commit is contained in:
86
runbooks/apparmor.md
Normal file
86
runbooks/apparmor.md
Normal file
@@ -0,0 +1,86 @@
|
||||
---
|
||||
service: apparmor
|
||||
symptoms: permission denied despite correct unix permissions, apparmor deny logs, service blocked by profile, executable transition denied, path access denied, snap confinement issue, profile in complain mode
|
||||
tags: apparmor, security, profile, aa-status, audit, confinement, complain, enforce, snap
|
||||
---
|
||||
|
||||
## Symptoms
|
||||
|
||||
- Application gets `Permission denied` even though Unix permissions look correct
|
||||
- Service starts in complain mode but fails in enforce mode
|
||||
- Log shows AppArmor `DENIED` entries
|
||||
- Binary works when profile is disabled but fails when confinement is enabled
|
||||
- Snap or packaged app cannot access expected files or sockets
|
||||
|
||||
## Diagnostics
|
||||
|
||||
### Check AppArmor status and loaded profiles
|
||||
|
||||
```
|
||||
aa-status
|
||||
systemctl status apparmor
|
||||
```
|
||||
|
||||
Confirm whether the profile is loaded and whether it is in enforce or complain mode.
|
||||
|
||||
### Check denial logs
|
||||
|
||||
```
|
||||
journalctl -k | grep -i apparmor
|
||||
journalctl -b | grep -i DENIED
|
||||
dmesg | grep -i apparmor
|
||||
```
|
||||
|
||||
AppArmor denials usually identify the profile, operation, and path that was blocked.
|
||||
|
||||
### Inspect the active profile
|
||||
|
||||
```
|
||||
find /etc/apparmor.d -maxdepth 2 -type f | sort
|
||||
cat /etc/apparmor.d/<profile>
|
||||
```
|
||||
|
||||
Look for missing file path rules, capability rules, and `ix`/`px` execution transitions.
|
||||
|
||||
### Check complain vs enforce mode
|
||||
|
||||
```
|
||||
aa-status | grep complain
|
||||
```
|
||||
|
||||
If the issue only occurs in enforce mode, the profile is too restrictive rather than the app being broken.
|
||||
|
||||
### Check profile parser and reload
|
||||
|
||||
```
|
||||
apparmor_parser -r /etc/apparmor.d/<profile>
|
||||
aa-status
|
||||
```
|
||||
|
||||
Syntax or include errors can prevent an updated profile from loading.
|
||||
|
||||
## Remediation
|
||||
|
||||
**Profile too restrictive:**
|
||||
Add the missing path, capability, or network rule to the profile, then reload AppArmor.
|
||||
|
||||
If the denial pattern is repetitive, use AppArmor tooling to review and refine the profile instead of disabling confinement globally.
|
||||
|
||||
**Need to observe without blocking:**
|
||||
Temporarily switch the profile to complain mode:
|
||||
```
|
||||
aa-complain /etc/apparmor.d/<profile>
|
||||
```
|
||||
|
||||
**Return to enforcement after fixing rules:**
|
||||
```
|
||||
aa-enforce /etc/apparmor.d/<profile>
|
||||
```
|
||||
|
||||
**Profile reload after changes:**
|
||||
```
|
||||
apparmor_parser -r /etc/apparmor.d/<profile>
|
||||
systemctl reload apparmor
|
||||
```
|
||||
|
||||
Do not disable AppArmor globally when the issue is isolated to a single profile.
|
||||
Reference in New Issue
Block a user