Blog

AppArmor Logo This file is licensed under the Creative Commons Attribution-Share Alike 4.0 International license. Attribution: Noah Davis
AppArmor Logo This file is licensed under the Creative Commons Attribution-Share Alike 4.0 International license. Attribution: Noah Davis

Enabling AppArmor on Arch Linux

Enabling AppArmor on Arch Linux

This document describes the steps taken to enable AppArmor on an Arch Linux system by modifying the GRUB configuration. In the conclusion (below), my xsession-error removal approach is noted.

TL;DR – Firejail Can Silently Break AppArmor

Installing Firejail on Arch may silently prevent AppArmor from functioning.

If you’re testing AppArmor and your profiles aren’t being enforced, try removing Firejail entirely before troubleshooting further.

Why?  Firejail’s own sandboxing can interfere with AppArmor’s enforcement, often without logging any visible errors.

Fix:

  1. Remove Firejail: sudo pacman -R firejail
  2. Reboot and retest AppArmor with aa-status
  3. Confirm profiles load and enforce properly
  4. Optional: Reintroduce Firejail later, with caution
  5. Optional: Replace AUR/ pacman apps with flatpaks, use caution

Steps to Enable AppArmor

  1. Check Current GRUB Configuration: 
    cat /etc/default/grub

    Identify the line starting with GRUB_CMDLINE_LINUX_DEFAULT.

  2. Edit the GRUB Configuration: 
    sudo nano /etc/default/grub

    Modify the GRUB_CMDLINE_LINUX_DEFAULT line to include AppArmor parameters:

    GRUB_CMDLINE_LINUX_DEFAULT="nowatchdog nvme_load=YES rd.luks.uuid=1789a726-8a00-4985-bf32-3a45751d5219 rd.luks.uuid=4a3498f7-9c99-4979-9b41-1a720bae32e1 resume=/dev/mapper/luks-4a3498f7-9c99-4979-9b41-1a720bae32e1 apparmor=1 security=apparmor"
  3. Save and Exit:

    In nano, press CTRL + X, then Y, and then Enter to save the changes.

  4. Update GRUB: 
    sudo grub-mkconfig -o /boot/grub/grub.cfg
  5. Reboot the System: 
    sudo reboot
  6. Check AppArmor Status: 
    sudo aa-status

    Verify that AppArmor is now active and functioning correctly.

Conclusions

By following the above steps, AppArmor was successfully enabled on the Arch Linux system, allowing for enhanced security through mandatory access control. 

Longer term-use has indicated irreconcilable differences between firejail and AppArmor on my setup.  I have been unable to determine the root cause (after 24 hours of research and re-installations. The following actions seem to have removed xsession-errors; but not actually repaired the problem(s). I moved all my browsers from pacman/ AUR installs to flatpaks.  That transition has removed all the xsession-errors.

This content is free to use, adapt, and share.
Knowledge and information should be open—please spread them far and wide.

A few things to keep in mind:

  • All of my work comes with absolutely no warranty, expressed or implied. However…
  • It will almost certainly work until it breaks,
    though I must admit it may never work or be useful—and that would be sad.
  • If/when it breaks, you can keep all the pieces.
  • As for what you don’t like, it’s yours to do with as you will.
  • If you find my materials helpful, both you and I will be happy (at least for a while).
  • My advice is worth every penny you paid for it!

Full disclosure:
I use various AI systems to assist in developing my content.
If you’re curious about how I use them, feel free to check out:
The Revolutionary Impact of AI on Genealogy and Historical Research.