apparmor_parser Command
Advanced Firewall & Security man(8)Load and manage AppArmor security profiles
š
Updated: Mar 16, 2026
SYNTAX
apparmor_parser [OPTIONS] PROFILE
What Does apparmor_parser Do?
The apparmor_parser command loads, replaces, removes, and manages AppArmor security profiles. AppArmor is a Mandatory Access Control (MAC) system that confines programs to a limited set of resources ā restricting file access, network capabilities, and other system operations based on per-program profiles.
AppArmor is the default MAC system on Debian, Ubuntu, SUSE, and their derivatives (unlike RHEL/Fedora which use SELinux). It is simpler to configure than SELinux, using path-based access control with human-readable profile files stored in /etc/apparmor.d/.
Each AppArmor profile specifies exactly what a program can access: which files it can read/write, which network connections it can make, which capabilities it can use, and which other programs it can execute. Profiles can be in enforce mode (access violations are blocked and logged) or complain mode (violations are only logged, not blocked).
apparmor_parser is the core tool for managing these profiles at the kernel level, while aa-enforce, aa-complain, and aa-genprof provide higher-level profile management.
AppArmor is the default MAC system on Debian, Ubuntu, SUSE, and their derivatives (unlike RHEL/Fedora which use SELinux). It is simpler to configure than SELinux, using path-based access control with human-readable profile files stored in /etc/apparmor.d/.
Each AppArmor profile specifies exactly what a program can access: which files it can read/write, which network connections it can make, which capabilities it can use, and which other programs it can execute. Profiles can be in enforce mode (access violations are blocked and logged) or complain mode (violations are only logged, not blocked).
apparmor_parser is the core tool for managing these profiles at the kernel level, while aa-enforce, aa-complain, and aa-genprof provide higher-level profile management.
Options & Flags
| Option | Description | Example |
|---|---|---|
| -a | Add and load a new profile | sudo apparmor_parser -a /etc/apparmor.d/usr.sbin.nginx |
| -r | Replace (reload) an existing profile | sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx |
| -R | Remove a profile from the kernel | sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.nginx |
| -C | Set profile to complain mode | sudo aa-complain /etc/apparmor.d/usr.sbin.nginx |
| -p | Preprocess and dump profile (debug) | apparmor_parser -p /etc/apparmor.d/usr.sbin.nginx |
| aa-status | Show AppArmor status and loaded profiles | sudo aa-status |
| aa-enforce | Set profile to enforce mode | sudo aa-enforce /etc/apparmor.d/usr.sbin.nginx |
| aa-genprof | Generate a new profile interactively | sudo aa-genprof /usr/sbin/nginx |
Practical Examples
#1 Check AppArmor status
Show how many profiles are loaded, how many are in enforce vs complain mode, and which processes are confined.
$ sudo aa-status#2 Load a profile
Load a new profile into the kernel. The profile takes effect immediately for new process invocations.
$ sudo apparmor_parser -a /etc/apparmor.d/usr.sbin.nginx#3 Reload after editing
Replace the kernel profile with the updated file version. Use after editing a profile.
$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx#4 Set to complain mode for testing
Switch to complain mode: violations are logged but not blocked. Use for testing new profiles.
$ sudo aa-complain /etc/apparmor.d/usr.sbin.nginx#5 Generate profile for a program
Interactive profile generator. Run the program normally in another terminal, then scan for access events and build the profile.
$ sudo aa-genprof /usr/sbin/nginx#6 View profile denials
Check kernel log for AppArmor access denials. Shows which operations were blocked and by which profile.
$ sudo dmesg | grep "apparmor=\"DENIED\"" | tail -20#7 Disable a profile temporarily
Disable a profile by symlinking to disable directory and removing from kernel. Re-enable by removing the symlink and reloading.
$ sudo ln -s /etc/apparmor.d/usr.sbin.nginx /etc/apparmor.d/disable/ && sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.nginxTips & Best Practices
Start with complain mode: When creating or modifying profiles, start in complain mode (aa-complain). Monitor logs for denials, adjust the profile, then switch to enforce mode (aa-enforce).
Profile naming convention: Profile files in /etc/apparmor.d/ are named after the program path with dots: /usr/sbin/nginx becomes usr.sbin.nginx.
Test before enforcing: An incorrectly configured enforce-mode profile can break services. Always test in complain mode first and review denials in dmesg or /var/log/syslog.
Use aa-logprof for updates: After running a program in complain mode, use aa-logprof to scan logs and update the profile with the observed access patterns.
Frequently Asked Questions
What is the difference between AppArmor and SELinux?
AppArmor uses path-based access control with simpler profiles. SELinux uses label-based access with more complex but more granular control. AppArmor is default on Ubuntu/SUSE; SELinux on RHEL/Fedora.
How do I check if AppArmor is blocking something?
Check kernel log: dmesg | grep apparmor=\"DENIED\". Or check /var/log/syslog. Denials show the profile, operation, and resource that was blocked.
How do I create an AppArmor profile?
Use aa-genprof /path/to/program. Run the program in another terminal, then return to aa-genprof to review and accept access events. The profile is saved and loaded automatically.
Can I disable AppArmor?
Yes but not recommended: sudo systemctl disable --now apparmor. Better approach: disable specific profiles: sudo aa-disable /etc/apparmor.d/problematic.profile
Related Commands
More Firewall & Security Commands
Master Linux with Professional eBooks
Curated IT eBooks covering Linux, DevOps, Cloud, and more
Browse Books ā