Overview

This documentation describes how to debug AppArmor with respect to Atlassian Applications. AppArmor is a Linux kernel security module that may prevent Atlassian Applications from starting if not properly configured.

AppArmor is commonly found enabled in Ubuntu, openSUSE and SUSE linux distributions.

How to check if AppArmor may be affecting an Atlassian Application

1. Check if AppArmor is enabled by running

aa-status 

2. Run

grep audit /var/log/kern.log |grep DENIED

3. Examine the output of the command. For, example if you have changed the configuration of mysql you may see a mysql profile violation in the output similar to the following

Jul 14 14:32:11 hostname kernel: [ 1234 ] type=1400 audit(1234.000:000): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/mysqld" name="/some/new/path" pid=1234 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=115 ouid=0

Note the "profile="  section tells you which AppArmor profile generated the message. In this case the administrator has configured mysql to store data in /some/new/path and has not updated the mysqld AppArmor profile to allow it to read from /some/new/path. In this particular case the administrator can resolve this issue by adding the following to  /etc/apparmor.d/local/usr.sbin.mysqld 

 /some/new/path r,
 /some/new/path/** rwk,

and then run 

sudo apt-get install apparmor-utils
sudo aa-enforce  /etc/apparmor.d/usr.sbin.mysqld 

Profiles can also be put into complain mode by invoking 

sudo aa-complain /path/to/profile

More information on debugging AppArmor can be found at https://wiki.ubuntu.com/DebuggingApparmor.