How to Enable & Disable AppArmor on Linux Mint 20

Linux Mint distributions come with AppArmor, a Linux kernel security module that allows the system administrator to restrict programs’ capabilities with per-program profiles. Profiles can allow network access, raw socket access, and permission to read, write, or execute files on matching paths. Rhel family users would notice this is similar to Selinux; however, they work differently and have pros and cons.

The following will cover how to enable and disable AppArmor and individual profiles; usually, most users would not need to adjust any settings with AppArmor, but if the need arises, some simple commands are all needed in the tutorial will explain.

Prerequisites

Update Operating System

Update your Linux Mint operating system to make sure all existing packages are up to date:

sudo apt update && sudo apt upgrade -y

The tutorial will be using the sudo command and assuming you have sudo status.

To verify sudo status on your account:

sudo whoami

Example output showing sudo status:

[joshua@linuxmint ~]$ sudo whoami
root

To set up an existing or new sudo account, visit our tutorial on Adding a User to Sudoers on Linux Mint.

To use the root account, use the following command with the root password to log in.

su

The tutorial will be utilizing the terminal, and for those unfamiliar, this can be found in your show applications menu.

Example:

How to Enable & Disable AppArmor on Linux Mint 20

Working with AppArmor System Commands

By default, Apparmor is installed and turned on when installing Linux Mint. To verify its status using the following command:

sudo systemctl status apparmor

Example output:

How to Enable & Disable AppArmor on Linux Mint 20

Next is a rundown on command systemctl commands:

To stop Apparmor:

sudo systemctl stop apparmor

To disable Apparmor on system boot:

sudo systemctl disable apparmor

To start Apparmor:

sudo systemctl start apparmor

To enable Apparmor on system boot (default):

sudo systemctl enable apparmor

To restart Apparmor:

sudo systemctl restart apparmor

To reload Apparmor:

sudo systemctl reload apparmor

Verify AppArmor Profiles Status

First, its ideal to see the status of Apparmor profiles which can be done using the following systemctl command:

sudo apparmor_status

Example output:

apparmor module is loaded.
39 profiles are loaded.
37 profiles are in enforce mode.

Alternatively, you can use the aa-status command, which will give you the exact readout:

sudo aa-status

Note, you will see an extensive list of profiles in the output. You will often refer back to this command when checking if profiles are enabled or disabled in the future.

Disable and Enable Apparmor Profiles

If you need to disable a specific Apparmor profile, this can be individually achieved without disabling the entire security application. First, you will need to navigate to the /etc/apparmor.d directory as follows:

cd /etc/apparmor.d

Now using the ls command, print out a list of profiles that exist in this directory:

sudo ls -s

Example output:

How to Enable & Disable AppArmor on Linux Mint 20

For example, to disable usr.sbin.cupsd profile. To do this, use the following command:

sudo ln -s /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/disable/usr.sbin.cupsd

Using the apparmor_status command, you can see usr.sbin.cupsd removed in your profile list.

sudo apparmor_status

Example output with profile removed:

1 processes are in enforce mode.
   /usr/sbin/cups-browsed (876) 

From originally:

2 processes are in enforce mode.
   /usr/sbin/cups-browsed (876) 
   /usr/sbin/cupsd (800) 

If you like to see a list of rules that are disabled, navigate to the directory /etc/apparmor.d/disable and use the ls command:

cd /etc/apparmor.d/disable
ls

Example output:

How to Enable & Disable AppArmor on Linux Mint 20

If you need to re-enable this profile or any other profile that is disabled, use the following command:

sudo rm /etc/apparmor.d/disable/usr.sbin.cupsd
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd

You will need to reboot your system to see the profile back in the apparmor_status command:

sudo reboot now

Re-use the app status command to see the profile back:

sudo apparmor_status

Output with profile back:

2 processes are in enforce mode.
   /usr/sbin/cups-browsed (876) 
   /usr/sbin/cupsd (800) 

Comments and Conclusion

In the tutorial, you have learned how to disable and enable profiles along with the AppArmor application itself; if you need to do this, most users will never need to even think about this; however, it’s a handy skill to learn if you are having issues relating to the AppArmor application.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!