Enable AppArmor Log

AppArmor usually outputs messages when it is interacting with an application and if there are AppArmor denied messages. A message is logged, via the Linux Auditing System, when a profile is in complain mode and application tries to access denied resources. The Linux Auditing System is disabled in the StarlingX kernel by default. To enable it, please refer to Enable Auditd in the Kernel.

Note

Enabling Auditd in the kernel is necessary for AppArmor logging. User do NOT need to install Auditd system application.

Once enabled, the logged message can be seen at /var/log/kern.log.

2023-02-01T01:48:45.412 controller-0 kernel: notice [ 4028.407687] audit: type=1400 audit(1675216125.410:3110): apparmor="ALLOWED" operation="open" profile="test-profile" name="/proc/1/attr/current" pid=331323 comm="cat" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

If auditd system application is installed as described in Start Auditd System Application, the messages are logged at /var/log/audit/audit.log.