Understanding AppArmor (Ubuntu Default)
AppArmor vs SELinux:
-
AppArmor: Path-based mandatory access control
-
Enabled by default on Ubuntu
-
Available but not default on Debian
-
Simpler than SELinux for most use cases
Check AppArmor status:
sudo aa-status
# Check if AppArmor is enabled
sudo systemctl status apparmor
AppArmor Profiles for NVMe-TCP
Check for denials:
# View AppArmor messages in syslog
sudo dmesg | grep -i apparmor
sudo journalctl | grep -i apparmor
# Check audit log
sudo grep -i apparmor /var/log/syslog
AppArmor and NVMe-TCP:
Note: NVMe-TCP uses native NVMe multipathing, NOT dm-multipath (multipathd). There is no multipathd service for NVMe-TCP, so you don't need to create AppArmor profiles for it.
If you have custom applications accessing NVMe devices:
# Install AppArmor utilities
sudo apt install -y apparmor-utils
# Check if any AppArmor denials related to NVMe
sudo dmesg | grep -i apparmor | grep nvme
# If you have custom scripts accessing NVMe devices,
# you may need to add these permissions to their profiles:
# /dev/nvme* rw,
# /sys/class/nvme/** r,
# /sys/devices/**/nvme*/** r,
AppArmor Best Practices
-
Use complain mode for testing:
# Test NVMe connections sudo nvme connect -t tcp -a <portal_ip> -s 4420 -n <nqn> # Check for any AppArmor denials sudo dmesg | grep -i apparmor -
Never disable AppArmor in production (Ubuntu):
-
Use complain mode for troubleshooting.
-
Create proper profiles for custom applications.
-
Document custom profiles.
-
-
Monitor for denials:
# Real-time monitoring sudo tail -f /var/log/syslog | grep -i apparmor