Enabling AppArmor on a Linode VPS in enforcement mode

By admin
Enabling

AppArmor
ORG

on a Debian Linode VPS is not entirely straightforward. Here’s what I had to do in order to make it work.

Packages to install

The easy bit was to install a few packages:

apt install grub2 apparmor-profiles-extra apparmor-profiles apparmor

and then adding apparmor=1 security=apparmor to the kernel command line (

GRUB_CMDLINE_LINUX
PERSON

) in /etc/default/grub .

Move away from using

Linode
ORG

‘s kernels

As mentioned in this blog post, I found out that these parameters are ignored by the

Linode
ORG

kernels.

I had to:

login to the

Linode
ORG

Manager (i.e.

https://cloud.linode.com/linodes/<linode ID>/configurations
WORK_OF_ART

), click the node relevant node, click "Edit" next to the configuration profile, and change the kernel to "GRUB

2
CARDINAL

".

Fix grub

Next I found out that grub doesn’t actually install itself properly because it can’t be installed directly on the virtual drives provided by

Linode
ORG

(

KVM
ORG

). Manually running this hack worked for me:

grub-install –grub-setup=/bin/true /dev/null

Unbound + Let’s Encrypt fix

Finally, my local

Unbound
LOC

installation stopped working because it couldn’t access the Let’s Encrypt certificates anymore.

The solution to this was pretty straightforward. All I needed to do was to add the following to /etc/apparmor.d/local/usr.sbin.unbound :