Translation(s): none

Desktop notifications

The aa-notify command, from the apparmor-notify package, is able to provide a desktop notification whenever a program causes a DENIED message in /var/log/kern.log. It can be started like this (the user who starts aa-notify needs to have read permissions for /var/log/kern.log):

 sudo aa-notify -p 

If you use auditd, you should start aa-notify like this:

sudo aa-notify -p -f /var/log/audit/audit.log

(We are obliged to start aa-notify manually and as root because of 670305 and 759604.)

Diagnose if a bug might have been caused by AppArmor

The apparmor-utils package provides many useful commands to debug AppArmor.

Note that aa-unconfined is currently buggy with some profiles, which are named a certain way, so do not rely on it. To be sure, for debugging purposes, to identify what apparmor profile the kernel has applied to a given process, find the pid of the process that you're interested in and then examine the contents of /proc/PID/attr/current (replacing PID with the pid you identified earlier). If it contains 'unconfined', then there is no apparmor policy applied. Otherwise, it should contain the name of the profile.

Debug a profile

Quick guide


Testing new profiles in particular should always be done in a clean Sid environment.

In a nutshell:

External documentation

Report a bug

If you've found a bug in an AppArmor profile provided either by apparmor-profiles-extra or a software in Debian which ships its own profile, you might want to report a bug. As the Debian Bug Tracking System is package-centric, only the package maintainers will be automatically made aware you reported this bug. That is why we kindly ask you to usertag your bugs, so that the Debian AppArmor Packaging Team will also be notified if AppArmor is involved or if you need help diagnosing this very fact.

The usertags you should use are:

You can find out more on usertagging bugs in our dedicated documentation.