Sending Messages to File

Add an rsyslog configuration file at /etc/rsyslog.d/apparmor.conf containing the following:

# Log kernel generated apparmor log messages to file
:msg,contains,"apparmor" /var/log/apparmor.log

# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated apparmor log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
& ~

and then restart rsyslog. The configuration will redirect all messages that match apparmor and send them to /var/log/apparmor.log.

Next, create a file at /etc/logrotate.d/apparmor with the following contents:

/var/log/apparmor.log {
    rotate 4
    weekly
    compress
    missingok
}

in order to make sure that /var/log/apparmor.log does not get too large and gets rotated weekly.

Setting Application to Warn Only

When running apparmor on a Linux distribution with packages that do not properly provide a profile for apparmor, some binaries will fail to launch or would otherwise generate errors. This can be observed in the kernel logs. For instance, the following message is displayed when the i2p daemon is started:

[ 2740.263615] audit: type=1400 audit(1637724187.039:18): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_i2p" pid=9637 comm="(wrapper)"

and vaguely means that an operation change_onexec was denied when the application was started by the apparmor profile associated with the application.

Fixing the apparmor profile itself is not a good solution in case there are package updates such that a temporary fix is to set the application to warn only yet still continue to run. This can be done, on Debian, for instance, by installing the apparmor-utils package:

apt-get install apparmor-utils

and then setting the offending application to warn only:

aa-complain system_i2p

where: