Add an rsyslog
configuration file at /etc/rsyslog.d/apparmor.conf
containing the following:
# Log kernel generated apparmor log messages to file :msg,contains,"apparmor" /var/log/apparmor.log # Uncomment the following to stop logging anything that matches the last rule. # Doing this will stop logging kernel generated apparmor log messages to the file # normally containing kern.* messages (eg, /var/log/kern.log) & ~
and then restart rsyslog
. The configuration will redirect all messages that match apparmor
and send them to /var/log/apparmor.log
.
Next, create a file at /etc/logrotate.d/apparmor
with the following contents:
/var/log/apparmor.log { rotate 4 weekly compress missingok }
in order to make sure that /var/log/apparmor.log
does not get too large and gets rotated weekly.
When running apparmor on a Linux distribution with packages that do not properly provide a profile for apparmor, some binaries will fail to launch or would otherwise generate errors. This can be observed in the kernel logs. For instance, the following message is displayed when the i2p daemon is started:
[ 2740.263615] audit: type=1400 audit(1637724187.039:18): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_i2p" pid=9637 comm="(wrapper)"
and vaguely means that an operation change_onexec
was denied when the application was started by the apparmor profile associated with the application.
Fixing the apparmor profile itself is not a good solution in case there are package updates such that a temporary fix is to set the application to warn only yet still continue to run. This can be done, on Debian, for instance, by installing the apparmor-utils
package:
apt-get install apparmor-utils
and then setting the offending application to warn only:
aa-complain system_i2p
where:
system_i2p
is the application that was previously denied access (as per the kernel log line).