Redcore Linux Project Forum

devosalain

Member

Registered: 2024-03-10

Posts: 14

Can i disable apparmor ?

Can i disable apparmor or is this a terrible idea for security ?

Sorin

Member

Registered: 2021-12-05

Posts: 13

Re: Can i disable apparmor ?

What problem is caused by apparmor that you want to disable it?

V3n3RiX

Administrator

Registered: 2021-11-04

Posts: 85

Re: Can i disable apparmor ?

rc-update del apparmor boot

Followed by a reboot will disable it. However a better approach will be to fine tune it to your preferences.

For example :

aa-status

will return something like this:

apparmor module is loaded.
60 profiles are loaded.
60 profiles are in enforce mode.
   /usr/bin/akonadiserver
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   dovecot
   dovecot-anvil
   dovecot-auth
   dovecot-config
   dovecot-deliver
   dovecot-dict
   dovecot-director
   dovecot-doveadm-server
   dovecot-dovecot-auth
   dovecot-dovecot-lda
   dovecot-dovecot-lda//sendmail
   dovecot-imap
   dovecot-imap-login
   dovecot-lmtp
   dovecot-log
   dovecot-managesieve
   dovecot-managesieve-login
   dovecot-pop3
   dovecot-pop3-login
   dovecot-replicator
   dovecot-script-login
   dovecot-ssl-params
   dovecot-stats
   identd
   klogd
   lsb_release
   mariadbd_akonadi
   mdnsd
   mysqld_akonadi
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   php-fpm
   ping
   postgresql_akonadi
   samba-bgqd
   samba-dcerpcd
   samba-rpcd
   samba-rpcd-classic
   samba-rpcd-spoolss
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslogd
   traceroute
   zgrep
   zgrep//helper
   zgrep//sed
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/avahi-daemon (4418) avahi-daemon
   /usr/sbin/avahi-daemon (4419) avahi-daemon
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

Then you can disable a certain program or profile like this :

aa-disable syslogd

Apparmor is almost unnoticeable at runtime and proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing both known and unknown application flaws from being exploited. It is up to you if you're willing to take the risks or not.