Enabling AppArmor on a Linode VPS in enforcement mode

Created on November 12, 2023 at 11:04 am

Enabling AppArmor ORG on a Debian Linode VPS is not entirely straightforward. Here’s what I had to do in order to make it work.

Packages to install

The easy bit was to install a few packages:

apt install grub2 apparmor-profiles-extra apparmor-profiles apparmor

and then adding apparmor=1 security=apparmor to the kernel command line ( GRUB_CMDLINE_LINUX PERSON ) in /etc/default/grub .

Move away from using Linode ORG ‘s kernels

As mentioned in this blog post, I found out that these parameters are ignored by the Linode ORG kernels.

I had to:

login to the Linode ORG Manager (i.e. https://cloud.linode.com/linodes/<linode ID>/configurations WORK_OF_ART ), click the node relevant node, click "Edit" next to the configuration profile, and change the kernel to "GRUB 2 CARDINAL ".

Fix grub

Next I found out that grub doesn’t actually install itself properly because it can’t be installed directly on the virtual drives provided by Linode ORG ( KVM ORG ). Manually running this hack worked for me:

grub-install –grub-setup=/bin/true /dev/null

Unbound + Let’s Encrypt fix

Finally, my local Unbound LOC installation stopped working because it couldn’t access the Let’s Encrypt certificates anymore.

The solution to this was pretty straightforward. All I needed to do was to add the following to /etc/apparmor.d/local/usr.sbin.unbound :

Connecting to blog.lzomedia.com... Connected... Page load complete