zphinx/tai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
54b202bdc2e30ccaafbdc61f854a0afd83cd4489
tai/runbooks/apparmor.md
zphinx 57f4c0efaa
Some checks failed
CI / test (push) Failing after 15s
Details
feat: complete RAG runbook workflow and release docs
2026-05-06 04:48:41 +02:00

2.3 KiB
Raw Blame History

service, symptoms, tags
service symptoms tags
apparmor permission denied despite correct unix permissions, apparmor deny logs, service blocked by profile, executable transition denied, path access denied, snap confinement issue, profile in complain mode apparmor, security, profile, aa-status, audit, confinement, complain, enforce, snap

Symptoms

  • Application gets Permission denied even though Unix permissions look correct
  • Service starts in complain mode but fails in enforce mode
  • Log shows AppArmor DENIED entries
  • Binary works when profile is disabled but fails when confinement is enabled
  • Snap or packaged app cannot access expected files or sockets

Diagnostics

Check AppArmor status and loaded profiles

aa-status
systemctl status apparmor

Confirm whether the profile is loaded and whether it is in enforce or complain mode.

Check denial logs

journalctl -k | grep -i apparmor
journalctl -b | grep -i DENIED
dmesg | grep -i apparmor

AppArmor denials usually identify the profile, operation, and path that was blocked.

Inspect the active profile

find /etc/apparmor.d -maxdepth 2 -type f | sort
cat /etc/apparmor.d/<profile>

Look for missing file path rules, capability rules, and ix/px execution transitions.

Check complain vs enforce mode

aa-status | grep complain

If the issue only occurs in enforce mode, the profile is too restrictive rather than the app being broken.

Check profile parser and reload

apparmor_parser -r /etc/apparmor.d/<profile>
aa-status

Syntax or include errors can prevent an updated profile from loading.

Remediation

Profile too restrictive: Add the missing path, capability, or network rule to the profile, then reload AppArmor.

If the denial pattern is repetitive, use AppArmor tooling to review and refine the profile instead of disabling confinement globally.

Need to observe without blocking: Temporarily switch the profile to complain mode:

aa-complain /etc/apparmor.d/<profile>

Return to enforcement after fixing rules:

aa-enforce /etc/apparmor.d/<profile>

Profile reload after changes:

apparmor_parser -r /etc/apparmor.d/<profile>
systemctl reload apparmor

Do not disable AppArmor globally when the issue is isolated to a single profile.