Mandatory Access Control (MAC)



  • Install the apparmor package.

  • Add AppArmor to the Linux secuirty modules that will be used on boot along with the dependencies that should be loaded beforehand. This is normally done through GRUB.

  • Enable the service.

    $ sudo systemctl enable apparmor
  • Reboot the computer to complete the installation.

  • Verify that it is enabled and running.

    $ sudo aa-enabled
    $ sudo aa-status



  • View loaded profiles:

    $ sudo aa-status
  • Add a new profile:

    $ sudo apparmor_enforce -r /etc/apparmor.d/<PROFILE>
  • Find the actual name of a profile (it is not always the file name):

    $ grep -P ^profile /etc/apparmor.d/<PROFILE>
  • Enable a profile:

    $ sudo aa-enforce <PROFILE>
  • Disable a profile but keep logging enabled:

    $ sudo aa-complain <PROFILE>
  • Disable a profile completely:

    $ sudo ln -s /etc/apparmor.d/<PROFILE> /etc/apparmor.d/disable/
    $ sudo apparmor_parser -R /etc/apparmor.d/<PROFILE>


  • Delete a profile [3]:

    $ sudo rm -f /etc/apparmor.d/<PROFILE>
    $ sudo systemctl reload apparmor


For testing purposes, AppArmor can be temporarily disabled. Set the Linux kernel boot arguments to disable AppArmor.


Alternatively, use a different MAC such as SELinux. Only one MAC implementation can be used on Linux at a time. [2]




  1. “AppArmor.” Arch Wiki. September 15, 2021. Accessed October 3, 2021.

  2. “AppArmor.” Ubuntu Community Help Wiki. July 5, 2020.

  3. “Building Profiles from the Command Line.” openSUSE Security Guide. 2018. Accessed October 3, 2021.