6.4. Troubleshooting

The following section lists the most common problems and error messages that may occur using Novell AppArmor.

SUSE Linux is installed, but AppArmor does not appear in the YaST menu

AppArmor is installed by default if either the GNOME or KDE desktop is chosen during installation. If you choose Minimal Graphical System or Text Mode, AppArmor is not included by default. In these cases, use YaST to install the missing packages.

Odd application behavior

If you notice odd application behavior or any other type of application problem, you should first check the reject messages in the log files to see if AppArmor is too closely constricting your application. To check reject messages, start YaST+Novell AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report. You can filter dates and times to narrow down the specific periods when the unexpected application behavior occurred.

Issues with Apache

Apache is not starting properly or it is not serving Web pages and you just installed a new module or made a configuration change. When you install additional Apache modules (like mod-apparmor) or make configuration changes to Apache, you should profile Apache again to catch any additional rules that need to be added to the profile.

Reports are not being sent by e-mail

When the reporting feature generates an HTML or CSV file that exceeds the default size, the file is not sent. Mail servers have a default, hard limit for e-mail size. This limitation can impede AppArmor's ability to send e-mails that are generated for reporting purposes. If your mail is not arriving, this could be why. Consider the mail size limits and check the archives if e-mails have not been received.

Excluding certain profiles from the list of profiles used

AppArmor always loads and applies all profiles that are available in its profile directory (/etc/apparmor.d/). If you decide not to apply a profile to a certain application, delete the appropriate profile or move it to another location where AppArmor would not check for it.

AppArmor operation can generate various errors. Here is a list of possible errors and how to resolve them.

Can’t find apparmor_parser

If you run logprof as a non-root user, such as tux, you are likely to see this error:

tux@localhost:~> /usr/sbin/logprof
Can’t find apparmor_parser.
[Note]Note

You should run logprof only as root.

/usr/sbin/genprof must be run as root

Running genprof as a non-root user produces a similar result:

tux@localhost:~> /usr/sbin/genprof
/usr/sbin/genprof must be run as root.
Unloading AppArmor profiles..failed

You must run the apparmor start and apparmor stop scripts as root. Running them as a non-root user produces this result:

tux@localhost:~> /etc/init.d/apparmor stop
/sbin/apparmor_parser: Sorry. You need root priveleges to run this program.
Unloading AppArmor profiles..failed
AppArmor parser error

Manually editing Novell AppArmor profiles can introduce syntax errors. If you attempt to start or restart AppArmor with syntax errors in your profiles, error results are shown. This example shows the syntax of the entire parser error.

localhost:~ # /etc/init.d/apparmor start
Loading AppArmor profiles
AppArmor parser error, line 2: Found unexpected character: ’h’
Profile /etc/apparmor.d/usr.sbin.squid failed to load
failed