Setting an AppArmor policy to complain mode (with examples)

Use case 1: Set policy to complain mode

Code:

sudo aa-complain path/to/profile

Motivation: Sometimes, when an AppArmor profile is causing certain applications to be denied access to certain resources on a system, it is useful to set the profile to complain mode. In complain mode, the policy is not enforced, but violations are logged so that they can be reviewed later.

Explanation: This command sets the specified AppArmor profile located at path/to/profile to complain mode. The profile will no longer enforce restrictions, but violations will be logged.

Example output:

Profile '{profile_name}' has been set to complain mode.

Use case 2: Set policies to complain mode

Code:

sudo aa-complain --dir path/to/profiles

Motivation: In situations where multiple AppArmor profiles need to be set to complain mode, it is convenient to be able to specify a directory instead of individual profiles. This allows for batch processing of profiles.

Explanation: This command sets all the AppArmor profiles located in the specified directory at path/to/profiles to complain mode. All the profiles in the directory will have their enforcement disabled, and violations will be logged.

Example output:

Profiles in '/path/to/profiles/' have been set to complain mode.

By using the aa-complain command in these different use cases, system administrators can easily disable enforcement of AppArmor profiles temporarily. This allows for monitoring violations without hindering the functionality of applications.