Does anything besides snapd use apparmor for anything at all in Manjaro?
I mean I removed snapd like 2 years ago… but apparmor has been lingering still in the system. Can I remove it without making something less secure?
snapd is the only thing I have installed on my system that depends on apparmor, but it looks like it might be used for some things that don’t hard depend on it.
If you look in /etc/apparmor.d/ you can see all of the rules that apparmor is applying. There’s quite a few things in there, and of note, it seems that samba (Windows compatible file sharing protocol) uses apparmor.
So the answer is probably not! Or at least, have a look in the config directory and see if anything is in there that you care about.
2 Likes
apparently not really 
l /etc/apparmor.d
.rw-r--r-- 1094 root 2 juuli 17:31 mariadbd_akonadi
.rw-r--r-- 1080 root 2 juuli 17:31 mysqld_akonadi
.rw-r--r-- 1424 root 2 juuli 17:31 postgresql_akonadi
.rw-r--r-- 3152 root 2 juuli 17:31 usr.bin.akonadiserver
don’t have mariadb or mysql or postgresql installed.
no bloody idea what this “akonadi” is about though…
EDIT:
… iiintresting. that 4 profiles was everything my apparmor install HAD since apparmor was first installed into my system by Manjaro default. Then now I removed apparmor with all the configs (pacman -Rnc apparmor) and re-installed it… and now the situation is drastically different.
l /etc/apparmor.d/
drwxr-xr-x - root 28 juuli 16:14 abi
drwxr-xr-x - root 28 juuli 16:14 abstractions
drwxr-xr-x - root 28 juuli 16:14 apache2.d
drwxr-xr-x - root 4 apr 11:55 disable
drwxr-xr-x - root 28 juuli 16:14 local
drwxr-xr-x - root 28 juuli 16:14 tunables
.rw-r--r-- 862 root 4 apr 11:55 bin.ping
.rw-r--r-- 1379 root 4 apr 11:55 lsb_release
.rw-r--r-- 1094 root 2 juuli 17:31 mariadbd_akonadi
.rw-r--r-- 1080 root 2 juuli 17:31 mysqld_akonadi
.rw-r--r-- 1212 root 4 apr 11:55 nvidia_modprobe
.rw-r--r-- 1704 root 4 apr 11:55 php-fpm
.rw-r--r-- 1424 root 2 juuli 17:31 postgresql_akonadi
.rw-r--r-- 610 root 4 apr 11:55 samba-bgqd
.rw-r--r-- 1048 root 4 apr 11:55 samba-dcerpcd
.rw-r--r-- 800 root 4 apr 11:55 samba-rpcd
.rw-r--r-- 738 root 4 apr 11:55 samba-rpcd-classic
.rw-r--r-- 950 root 4 apr 11:55 samba-rpcd-spoolss
.rw-r--r-- 1000 root 4 apr 11:55 sbin.klogd
.rw-r--r-- 2059 root 4 apr 11:55 sbin.syslog-ng
.rw-r--r-- 1476 root 4 apr 11:55 sbin.syslogd
.rw-r--r-- 3152 root 2 juuli 17:31 usr.bin.akonadiserver
.rw-r--r-- 2122 root 4 apr 11:55 usr.lib.apache2.mpm-prefork.apache2
.rw-r--r-- 892 root 4 apr 11:55 usr.lib.dovecot.anvil
.rw-r--r-- 1623 root 4 apr 11:55 usr.lib.dovecot.auth
.rw-r--r-- 1003 root 4 apr 11:55 usr.lib.dovecot.config
.rw-r--r-- 1182 root 4 apr 11:55 usr.lib.dovecot.deliver
.rw-r--r-- 968 root 4 apr 11:55 usr.lib.dovecot.dict
.rw-r--r-- 854 root 4 apr 11:55 usr.lib.dovecot.director
.rw-r--r-- 756 root 4 apr 11:55 usr.lib.dovecot.doveadm-server
.rw-r--r-- 1089 root 4 apr 11:55 usr.lib.dovecot.dovecot-auth
.rw-r--r-- 2868 root 4 apr 11:55 usr.lib.dovecot.dovecot-lda
.rw-r--r-- 1286 root 4 apr 11:55 usr.lib.dovecot.imap
.rw-r--r-- 1060 root 4 apr 11:55 usr.lib.dovecot.imap-login
.rw-r--r-- 1231 root 4 apr 11:55 usr.lib.dovecot.lmtp
.rw-r--r-- 740 root 4 apr 11:55 usr.lib.dovecot.log
.rw-r--r-- 992 root 4 apr 11:55 usr.lib.dovecot.managesieve
.rw-r--r-- 1172 root 4 apr 11:55 usr.lib.dovecot.managesieve-login
.rw-r--r-- 951 root 4 apr 11:55 usr.lib.dovecot.pop3
.rw-r--r-- 1060 root 4 apr 11:55 usr.lib.dovecot.pop3-login
.rw-r--r-- 1178 root 4 apr 11:55 usr.lib.dovecot.replicator
.rw-r--r-- 1106 root 4 apr 11:55 usr.lib.dovecot.script-login
.rw-r--r-- 899 root 4 apr 11:55 usr.lib.dovecot.ssl-params
.rw-r--r-- 854 root 4 apr 11:55 usr.lib.dovecot.stats
.rw-r--r-- 3043 root 4 apr 11:55 usr.sbin.apache2
.rw-r--r-- 1038 root 4 apr 11:55 usr.sbin.avahi-daemon
.rw-r--r-- 4334 root 4 apr 11:55 usr.sbin.dnsmasq
.rw-r--r-- 2596 root 4 apr 11:55 usr.sbin.dovecot
.rw-r--r-- 1054 root 4 apr 11:55 usr.sbin.identd
.rw-r--r-- 984 root 4 apr 11:55 usr.sbin.mdnsd
.rw-r--r-- 970 root 4 apr 11:55 usr.sbin.nmbd
.rw-r--r-- 1563 root 4 apr 11:55 usr.sbin.nscd
.rw-r--r-- 2216 root 4 apr 11:55 usr.sbin.ntpd
.rw-r--r-- 2156 root 4 apr 11:55 usr.sbin.smbd
.rw-r--r-- 947 root 4 apr 11:55 usr.sbin.smbldap-useradd
.rw-r--r-- 1074 root 4 apr 11:55 usr.sbin.traceroute
.rw-r--r-- 1220 root 4 apr 11:55 usr.sbin.winbindd
.rw-r--r-- 1418 root 4 apr 11:55 zgrep
it’s like upgrading/updating apparmor doesn’t update it’s default profiles at all by itself 
What a bummer.
Akonadi looks to be the KDE user data framework, which may explain why it’s linked to a bunch of potential database backends.
pacman -Ql apparmor
2 Likes
It is a system harding framework like SELinux.
It could be used to harden stuff…but one has to install profiles and tweak it. In its default state as far as i remember it had only a profile for firefox from the programs i have installed and this is not my default browser so…i decided to cut about a second of my boot time and remove it.
So … by default out of the box, it doesn’t do almost anything (because I am not using anything that it has profiles for), but if you are security minded and have time and will to put in some work, it could potentially be used to … “bottle” apps? good to know.
Not in my system. And I am using firefox as main… so where could I get the profile for it?
apparmor module is loaded.
64 profiles are loaded.
64 profiles are in enforce mode.
/usr/bin/akonadiserver
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-director
dovecot-doveadm-server
dovecot-dovecot-auth
dovecot-dovecot-lda
dovecot-dovecot-lda//sendmail
dovecot-imap
dovecot-imap-login
dovecot-lmtp
dovecot-log
dovecot-managesieve
dovecot-managesieve-login
dovecot-pop3
dovecot-pop3-login
dovecot-replicator
dovecot-script-login
dovecot-ssl-params
dovecot-stats
identd
klogd
lsb_release
mariadbd_akonadi
mdnsd
mysqld_akonadi
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
php-fpm
ping
postgresql_akonadi
samba-bgqd
samba-dcerpcd
samba-rpcd
samba-rpcd-classic
samba-rpcd-spoolss
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
zgrep
zgrep//helper
zgrep//sed
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/bin/avahi-daemon (1143) avahi-daemon
/usr/bin/avahi-daemon (1153) avahi-daemon
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
So basically in my system only avahi-daemon is confined. And when I use ping or zgrep or traceroute (but not mtr… which I always use instead of traceroute) … or dnsmasq (but not pihole-FTL which replaces it). ookey. I guess it can stay, just in case i use ping or zgrep 
…now that firefox and maybe brave profile could be useful also… just in case.
One of the many reasons I refuse to use RHEL or any of the derivates in my life anymore. Horrorshow. Somehow this apparmor has managed to stay out of my way for years now
I have actually been thinking of using RedHat - I have been testing RHEL9, never for longer than it took to reinstall Manjaro - but it has always stayed as a thought …
According to Arch Wiki AppArmor is more friendly than SELinux.
1 Like
The other main issue with RHEL (for me) and by extension their current owner IBM is … politics. Really sad. Their racist hiring practices against white people; How they killed CentOS; How they are trying to hide their source code behind subscription, etc etc. It’s just … evil. And all the countless evils IBM has committed or tried to commit.
1 Like
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.