Skip to content

Denials quick guide

In order to fix logged denials, additions can be made to local override files. Most profiles allow for local overrides, which can be used as follows:

  1. Look for a log entry containing apparmor="DENIED" and note its corresponding profile= information in order to locate the corresponding source profile in /etc/apparmor.d/. See the note below if the logged profile does not appear to have a source file here.
  2. Verify that the source profile has a line like include if exists <local/[name]>, and open (creating if necessary) the file /etc/apparmor.d/local/[name].
  3. Add the rules required to resolve the denials (An overview of the profile syntax can be found at QuickProfileLanguage.)
  4. Reload the profile with sudo apparmor_parser -r /etc/apparmor.d/[profile].

A longer explanation can be found in /etc/apparmor.d/local/README.

There are profiles not managed by apparmor which are not extensible by this mechanism. For lxd, libvirt and snap applications please report a bug on launchpad.

Further Information

For additional information, see Profiling_with_tools and Profiling_by_hand. While these pages are old, they should still be applicable.