Apparmor Debugging

First look at the processes profile and skim the query language.

Tracking denials

Turn on complain mode

aa-complain <profile>

This does not track denials. So do a

apparmor_parser -pq /etc/apparmor.d/

and check for denails, turn them into "audit deny" for debugging.

Check environment scrubbing

echo 1 > /sys/module/apparmor/parameters/debugging

Turn off deny audit quieting

echo -n noquiet >/sys/module/apparmor/parameters/audit

See 826218 for details.

Other things to watch out for

  • Process environments are usually cleared. So if a confined process spawns a subprocess that relies on environments vars this might trigger problems