AppArmor causes errors when new profiles were included

Masalababa · 1 March 2025 03:26

I saw many new profiles by
$ sudo aa-status
and included them by
$ sudo aa-enforce /etc/apparmor.d/*
but since than I got errors
$ firefox
/usr/lib/firefox/firefox: error while loading shared libraries: libstdc++.so.6: cannot open shared object file: Permission denied
and
$ flatpak uninstall --unused
flatpak: error while loading shared libraries: libglib-2.0.so.0: cannot open shared object file: Permission denied

and who knows how many more?
(I haven’t checked all apps yet)

All errors (Permission denied) are gone when AppArmor is disabled by
$ sudo aa-teardown

EDIT:
Most likely the errors are due to one or more buggy Tunables Profile(s) !!
Hope that helps to find out why.

linux-aarhus · 1 March 2025 05:25

Please see → AppArmor - ArchWiki for more information

Masalababa · 15 March 2025 13:10

For many year I used AppArmor just with this line in GRUB

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor resume=UUID=ff53c8ac-5386-4abf-9a73-0f85924072ba udev.log_priority=3"

and it worked fine.
Because you @linux-aarhus mentioned the Wiki I have added GRUB with

GRUB_CMDLINE_LINUX_DEFAULT="lsm=landlock,lockdown,yama,integrity,apparmor,bpf quiet apparmor=1 security=apparmor resume=UUID=ff53c8ac-5386-4abf-9a73-0f85924072ba udev.log_priority=3"

Is that sequence correct or does the sequence matter at all?

However, Firefox and Flatpak are still causing the error mentioned in my first post, so I had to exclude both from AppArmor.

This error can easily be reproduced on a fresh installation in a VM (activate AppArmor and include all profiles by sudo aa-enforce /etc/apparmor.d/* or at least the Firefox and Flatpak profile).

I wonder why it wasn’t mentioned in the forum yet.
Am I really the only one who stumbled upon that bug?

Masalababa · 23 May 2025 21:42

The profiles of Firefox, Flatpak and Mullvad VPN are still buggy and need to be disabled to run
$ sudo aa-enforce /etc/apparmor.d/*
successfully!

EDIT:
Tuxedo Control Center profile fails also !!

whatthe · 4 October 2025 11:55

Same here, chromium also fails

Also sudo aa-complain QtWebEngineProcess

Masalababa · 4 October 2025 16:42

Same here !!

When QtWebEngineProcess is included by

sudo aa-enforce /etc/apparmor.d/*

than ClipGrab does not start.

Firefox and Flatpak are still causing the error mentioned in my first post, so I had to exclude both from AppArmor as well and again.

I wonder why those AppArmor profiles are buggy for such a long time ??

soundofthunder · 19 November 2025 09:37

Abandoned topic (30+ days)