Inspect AppArmor Logs: Find Why An App Is Blocked

Quickly locate AppArmor DENIED messages and turn them into actionable profile fixes.

10.01.2026 | reading time: 2 min

An application fails silently because AppArmor blocked access; find the kernel messages that explain why and which profile was involved by checking the journal or kernel buffer.

Capture the DENIED line

Run a focused search for AppArmor kernel messages and read the DENIED fields to identify operation, profile and filename: ```sudo journalctl -k --since "1 hour ago" | grep -i apparmor Apr 12 10:34:56 host kernel: [1234.567890] apparmor="DENIED" operation="open" profile="/usr/bin/wget" name="/etc/shadow" pid=1234 comm="wget" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Apr 12 10:34:56 host kernel: [1234.567891] apparmor="STATUS" operation="profile_load" profile="/usr/bin/wget" pid=1 comm="apparmor_parser"```

Turn logs into profile changes

Let aa-logprof parse recent AppArmor messages and propose rule changes, accept safe suggestions and reload the profile: ```sudo aa-logprof Reading kernel log for AppArmor messages... [1] Allow read access to "/etc/hosts" for profile "/usr/bin/wget"? y Profile updated: /etc/apparmor.d/usr.bin.wget ``` then run `sudo systemctl reload apparmor` or `sudo apparmor_parser -r /etc/apparmor.d/usr.bin.wget` to apply the update.

Other angles to check

If journalctl shows nothing, check `dmesg` and /var/log/syslog or /var/log/kern.log and verify whether AppArmor audit logging or auditd is enabled; inspect profile state with `sudo aa-status` and switch modes with `sudo aa-complain <profile>` or `sudo aa-enforce <profile>` to troubleshoot behavior.

Related tools and workflows

Combine quick reads with `journalctl -k` and `dmesg`, use `aa-status` to see loaded profiles, `aa-logprof` to create rules from logs, and `apparmor_parser` to load or test modifications; keep changes small, test, and revert if needed.

Close, then learn more

Inspecting AppArmor logs turns opaque failures into concrete fixes: read the DENIED line, let aa-logprof propose rules, and reload profiles to restore functionality; deepen this skill for system hardening and consider exam-focused training at bitsandbytes.academy to prepare for CompTIA Linux+ or LPIC-1.

Join Bits & Bytes Academy First class LINUX exam preparation.

security troubleshooting utilities