🟑 Medium   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Ubuntu 26.04 LTS

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Service starts fail or runtime operations break due to AppArmor access denials.

Environment & Reproduction

Seen after moving application data paths outside approved profile locations.

systemctl restart 
systemctl status

Root Cause Analysis

Profile rules do not include new file paths, causing enforced deny actions.

Quick Triage

Confirm AppArmor is enforcing and inspect recent denied events.

aa-status
journalctl -k -n 100 --no-pager | grep -i apparmor

Step-by-Step Diagnosis

Collect exact denied operation, profile name, and target path from logs.

journalctl -k --since '30 min ago' --no-pager | grep -i 'DENIED'
cat /etc/apparmor.d/ | sed -n '1,200p'
Illustrative mockup for ubuntu-26-04-lts β€” apparmor_denial_logs
AppArmor denial entries in kernel logs β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Add narrowly scoped path permissions and reload profile.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

sudoedit /etc/apparmor.d/
sudo apparmor_parser -r /etc/apparmor.d/
sudo systemctl restart
Illustrative mockup for ubuntu-26-04-lts β€” apparmor_profile_updated
Adjusted AppArmor profile allows required service paths β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Generate candidate rules with aa-logprof, then review before applying.

sudo aa-logprof

Verification & Acceptance Criteria

Service functions normally and new AppArmor denials stop for expected actions.

systemctl status 
journalctl -k -n 60 --no-pager | grep -i apparmor || true

Rollback Plan

Revert profile edit from backup and reload the original rules.

sudo cp /etc/apparmor.d/.bak /etc/apparmor.d/
sudo apparmor_parser -r /etc/apparmor.d/

Prevention & Hardening

Track path changes in deployment pipelines and update profiles with least privilege.

Can be confused with filesystem permission issues or read-only mount states.

Related tutorial: View the step-by-step tutorial for Ubuntu 26.04 LTS.

View all Ubuntu 26.04 LTS tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Ubuntu AppArmor administration and profile language references.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.