zphinx/tai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
feature/package-presence-and-generic-service-detection
tai/runbooks/apparmor.md
zphinx 57f4c0efaa
Some checks failed
CI / test (push) Failing after 15s
Details
feat: complete RAG runbook workflow and release docs
2026-05-06 04:48:41 +02:00

87 lines
2.3 KiB
Markdown
Raw Permalink Blame History

---
service: apparmor
symptoms: permission denied despite correct unix permissions, apparmor deny logs, service blocked by profile, executable transition denied, path access denied, snap confinement issue, profile in complain mode
tags: apparmor, security, profile, aa-status, audit, confinement, complain, enforce, snap
---
## Symptoms
- Application gets `Permission denied` even though Unix permissions look correct
- Service starts in complain mode but fails in enforce mode
- Log shows AppArmor `DENIED` entries
- Binary works when profile is disabled but fails when confinement is enabled
- Snap or packaged app cannot access expected files or sockets
## Diagnostics
### Check AppArmor status and loaded profiles
```
aa-status
systemctl status apparmor
```
Confirm whether the profile is loaded and whether it is in enforce or complain mode.
### Check denial logs
```
journalctl -k | grep -i apparmor
journalctl -b | grep -i DENIED
dmesg | grep -i apparmor
```
AppArmor denials usually identify the profile, operation, and path that was blocked.
### Inspect the active profile
```
find /etc/apparmor.d -maxdepth 2 -type f | sort
cat /etc/apparmor.d/<profile>
```
Look for missing file path rules, capability rules, and `ix`/`px` execution transitions.
### Check complain vs enforce mode
```
aa-status | grep complain
```
If the issue only occurs in enforce mode, the profile is too restrictive rather than the app being broken.
### Check profile parser and reload
```
apparmor_parser -r /etc/apparmor.d/<profile>
aa-status
```
Syntax or include errors can prevent an updated profile from loading.
## Remediation
**Profile too restrictive:**
Add the missing path, capability, or network rule to the profile, then reload AppArmor.
If the denial pattern is repetitive, use AppArmor tooling to review and refine the profile instead of disabling confinement globally.
**Need to observe without blocking:**
Temporarily switch the profile to complain mode:
```
aa-complain /etc/apparmor.d/<profile>
```
**Return to enforcement after fixing rules:**
```
aa-enforce /etc/apparmor.d/<profile>
```
**Profile reload after changes:**
```
apparmor_parser -r /etc/apparmor.d/<profile>
systemctl reload apparmor
```
Do not disable AppArmor globally when the issue is isolated to a single profile.
Reference in New Issue View Git Blame Copy Permalink