apparmor.d/docs/install.md

---
title: Installation
---

!!! warning

    To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page.

    After installation, you **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log). You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions).

!!! danger

    Do **not** expect this project to work correctly if your Desktop Environment and Display Manager are not supported. Your Desktop Environment or Display Manager might not load, and that would be a feature.

## Requirements

**AppArmor**

An `AppArmor` supported Linux distribution is required. The default profiles and abstractions shipped with AppArmor must be installed.

**Desktop environment**

The following desktop environments are supported:

  - [x] :material-gnome: Gnome
  - [x] :simple-kde: KDE
  - [ ] :simple-xfce: XFCE *(work in progress)*

**Build dependency**

* Go >= 1.18

## :material-arch: Arch Linux

`apparmor.d-git` is available in the [Arch User Repository][aur]:
```
yay -S apparmor.d-git  # or your preferred AUR install method
```

Or without an AUR helper:
```sh
git clone https://aur.archlinux.org/apparmor.d-git.git
cd apparmor.d-git
makepkg -si
```


## :material-ubuntu: Ubuntu & :material-debian: Debian

Build the package from sources:
```sh
sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
git clone https://github.com/roddhjav/apparmor.d.git
cd apparmor.d
dpkg-buildpackage -b -d --no-sign
sudo dpkg -i ../apparmor.d_*.deb
```

!!! tip

    If you have `devscripts` installed, you can use the one liner:
    ```sh
    make dpkg
    ```

!!! note

    Debian user may need golang from the backports repository to build:
    ```sh
    echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list
    sudo apt update
    sudo apt install -t bookworm-backports golang-go
    ```

!!! warning

    **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different.

    If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian` if is Debian based, or `DISTRIBUTION=ubuntu` if it is Ubuntu based.

## :simple-suse: openSUSE

openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS
```sh
zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo
zypper refresh
zypper install apparmor.d
```


## Partial install

For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.

```sh
make
sudo make profile-names...
```

!!! warning

    Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77))

    For instance, `sudo make pass` gives:
    ```sh
    Warning: profile dependencies fallback to unconfined.
    @{bin}/wl-{copy,paste} rPx,
    @{bin}/xclip           rPx,
    @{bin}/python3.@{int} rPx -> pass-import,  # pass-import
        @{bin}/pager         rPx -> child-pager,
        @{bin}/less          rPx -> child-pager,
        @{bin}/more          rPx -> child-pager,
    '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
    ```
    So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired.


## Uninstall

- :material-arch: Arch Linux `sudo pacman -R apparmor.d`
- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d`
- :simple-suse: openSUSE `sudo zypper remove apparmor.d`

[aur]: https://aur.archlinux.org/packages/apparmor.d-git
[repo]: https://repo.pujol.io/
[keys]: https://repo.pujol.io/gpgkey