20090527 disabling apparmor on ubuntu - plembo/onemoretech GitHub Wiki

title: Disabling AppArmor on Ubuntu link: https://onemoretech.wordpress.com/2009/05/27/disabling-apparmor-on-ubuntu/ author: lembobro description: post_id: 316 created: 2009/05/27 04:21:41 created_gmt: 2009/05/27 04:21:41 comment_status: open post_name: disabling-apparmor-on-ubuntu status: publish post_type: post

Disabling AppArmor on Ubuntu

As of Ubuntu 8.10 the procedure for disabling AppArmor is as follows:

sudo invoke-rc.d apparmor stop sudo update-rc.d -f apparmor remove

To re-enable it, do this:

sudo invoke-rc.d apparmor start sudo update-rc.d apparmor start 37 S **.**

To disable the profile for a particular app without having to entirely remove AppArmor protection:

cd /etc/apparmor.d/disable sudo ln -s /etc/apparmor.d/usr.sbin.slapd **.** sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.slapd

See Community Documentation for more.

AppArmor is a mandatory access control (MAC) security mechanism that has the same basic goal as SELinux, making the system more secure by restricting the (mis)behavior of applications. While SELinux was created by the NSA, AppArmor originated in Novell’s SuSE product division and is installed by default on Ubuntu.

There be bugs in AppArmor. See its Launchpad page. In this it has another thing in common with SELinux. In fact, AppArmor has it’s very own debugging page on the Ubuntu wiki. I ran into one of these bugs in trying to add a second database for slapd. Although it has been fixed for Ubuntu 9.0.4, it remains in 8.10. There have been rumors that SELinux will replace AppArmor is some future release of Ubuntu, but there’s no indication from reliable sources that is going to happen anytime soon (if at all).

Although I’d prefer not to, I’ll continue to run AppArmor on some of my systems because, well, it’s my job to struggle with things like this. Anyone who runs a production application server on Ubuntu should take the time to test their configuration with AppArmor before deploying with it enabled. If it passes muster, especially if it will be an Internet-facing system, having a MAC framework in place will make it more secure than it otherwise would be.