AppArmor not working as expected

I am a Linux newbie, however, I was experimenting today with creating profiles for some applications. I have watched some YouTube videos on how to work it, and I have stumbled upon a few things that didn’t work as expected.

1- First problem I faced is that “aa-genprof” wasn’t working as advertized.

I have tried to create a profile for KTorrent as follows:

sudo aa-genprof ktorrent

Then I ran KTorrent, to populate the logs. Then I started using the “Scan” functionality. It didn’t catch any events/logs, even though manually reading the logs at “/var/logs/audit/audit.log” was populating events.

So, what I had to do is “Finish”, then manually using:

sudo aa-complain ktorrent
sudo aa-logprof -f /var/logs/audit/audit.log

Which worked as expected.

Could someone help me find out why my (default) installation of AppArmor is not running as expected?

2- Second problem I faced is using the Firefox profile found in “/usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox”.

First of all, the Firefox binary is located at “/usr/lib64/firefox/firefox” NOT “/usr/lib/firefox/firefox”. So, I had to manually fix the profile as follows:

su -c "cat /usr/share/apparmor/extra-profiles/usr.lib.firefox.firefox | sed 's#/usr/lib/#/usr/lib{,64}/#' > /etc/apparmor.d/usr.lib64.firefox.firefox"

Which effectively modifies the file such that it accepts both “lib” and “lib64” in the directory path. However, when running “sudo aa-complain /usr/lib64/firefox/firefox”, I get the following error message:

Setting /usr/lib64/firefox/firefox to complain mode.

ERROR: /etc/apparmor.d/usr.lib64.firefox.firefox contains no profile

Even though “cat /etc/apparmor.d/usr.lib64.firefox.firefox” shows expected file contents. link]

What gives?

Looks like a typo, if it’s not your posting then it’s probably the cause of your error

Note the period instead of slash for “/usr.”



No, it is not a typo. This is a file named “usr.lib64.firefox.firefox” under “/etc/apparmor.d”.

It is a convention to name the file based on the path of the executable that the profile is for, and replacing slashes with dots.


For someone to follow in your exact steps and to re-produce what you see,
You need to post exactly the commands you use, not a description like “scan”

Been awhile since I’ve tried to create a custom AppArmor rule, but your overall description and approach looks right, IIRC.


Actually, the original post lists the complete commands. The “scan” functionality is an option presented in the interactive UI of the aa-genprof command.

The way aa-genprof is supposed to work, is that you run a command like “sudo aa-genprof ktorrent”, then open a new ktorrent process that will be monitored by apparmor, and generate access violation logs. After running ktorrent for a while, you go back to the aa-genprof screen, and press “S”, which activates the scanning of the logs, and it then starts suggesting rules based on those logs.

On my machine, aa-genprof does not do anything when asked to scan the logs. I have to use another tool called aa-logprof. Both tools are supposed to be able to generate rules from logs. aa-genprof should generate these rules as part of the initial setup, and the aa-logprof is supposed to be used after the initial profile has been created.