Enabling AppArmor on Arch Linux
This document describes the steps taken to enable AppArmor on an Arch Linux system by modifying the GRUB configuration. In the conclusion (below), my xsession-error removal approach is noted.
TL;DR – Firejail Can Silently Break AppArmor
Installing Firejail on Arch may silently prevent AppArmor from functioning.
If you’re testing AppArmor and your profiles aren’t being enforced, try removing Firejail entirely before troubleshooting further.
Why? Firejail’s own sandboxing can interfere with AppArmor’s enforcement, often without logging any visible errors.
Fix:
- Remove Firejail:
sudo pacman -R firejail
- Reboot and retest AppArmor with
aa-status
- Confirm profiles load and enforce properly
- Optional: Reintroduce Firejail later, with caution
- Optional: Replace AUR/ pacman apps with flatpaks, use caution
Steps to Enable AppArmor
- Check Current GRUB Configuration:
cat /etc/default/grub
Identify the line starting with
GRUB_CMDLINE_LINUX_DEFAULT
. - Edit the GRUB Configuration:
sudo nano /etc/default/grub
Modify the
GRUB_CMDLINE_LINUX_DEFAULT
line to include AppArmor parameters:GRUB_CMDLINE_LINUX_DEFAULT="nowatchdog nvme_load=YES rd.luks.uuid=1789a726-8a00-4985-bf32-3a45751d5219 rd.luks.uuid=4a3498f7-9c99-4979-9b41-1a720bae32e1 resume=/dev/mapper/luks-4a3498f7-9c99-4979-9b41-1a720bae32e1 apparmor=1 security=apparmor"
- Save and Exit:
In nano, press
CTRL + X
, thenY
, and thenEnter
to save the changes. - Update GRUB:
sudo grub-mkconfig -o /boot/grub/grub.cfg
- Reboot the System:
sudo reboot
- Check AppArmor Status:
sudo aa-status
Verify that AppArmor is now active and functioning correctly.
Conclusions
By following the above steps, AppArmor was successfully enabled on the Arch Linux system, allowing for enhanced security through mandatory access control.
Longer term-use has indicated irreconcilable differences between firejail and AppArmor on my setup. I have been unable to determine the root cause (after 24 hours of research and re-installations. The following actions seem to have removed xsession-errors; but not actually repaired the problem(s). I moved all my browsers from pacman/ AUR installs to flatpaks. That transition has removed all the xsession-errors.
This content is free to use, adapt, and share.
Knowledge and information should be open—please spread them far and wide.A few things to keep in mind:
- All of my work comes with absolutely no warranty, expressed or implied. However…
- It will almost certainly work until it breaks,
though I must admit it may never work or be useful—and that would be sad.- If/when it breaks, you can keep all the pieces.
- As for what you don’t like, it’s yours to do with as you will.
- If you find my materials helpful, both you and I will be happy (at least for a while).
- My advice is worth every penny you paid for it!
Full disclosure:
I use various AI systems to assist in developing my content.
If you’re curious about how I use them, feel free to check out:
The Revolutionary Impact of AI on Genealogy and Historical Research.