Most Apparmor profiles are in complain mode by default.

[IPlayZed]

Hi, according to the relevant parts of the documentation there should be around 1050 profiles in enforce mode.

However, when listing it via sudo aa-status, from the 1618 profiles, only 80 are set to be in enforce mode, 1538 are in complain mode and 122 processes are in complain mode.

Is this expected behaviour?

[IPlayZed]

I am also interested, if it is okay to manually set these complain profiles one-by-one into enforce mode?

[curiosityseeker]

https://apparmor.pujol.io/enforce/

[IPlayZed]

https://apparmor.pujol.io/enforce/

I do understand how to put them into enforce mode, but if this is expected, then the documentation is a bit misleading.

[roddhjav]

This is documented in the warning message of https://apparmor.pujol.io/install. The output of aa-status in the usage section is only an example of possible output and should not be taken literally.

You can use aa-enforce to enforce a specific profile.

I am planning on improving the install section to add more details about what can be done regarding profile in complain mode. To sum up, you can:

1. Install apparmor.d in the (default) complain mode
2. Reboot
3. Check for any apparmor logs raised, report any raised logs.
4. Use the profiles in complain mode for a while (a day, a week)
5. Regularly check for new apparmor logs.
6. Only if there is no logs raised for your daily usage, install in enforce mode.