Information
AppArmor profiles may be in one of three modes: disabled, complain or enforce. In the complain mode, any violations of the access controls are logged but the restrictions are not enforced. Also, once a profile mode has been changed, it is recommended to restart the Apache server, otherwise the currently running process may not be confined by the policy.
Rationale:
The complain mode is useful for testing and debugging a profile, but is not appropriate for production. Only the confined process running in enforce mode will prevent attacks that violate the configured access controls.
Solution
Perform the following to implement the recommended state:
Set the profile state to enforce mode.
# aa-enforce apache2
Setting /usr/sbin/apache2 to enforce mode.
Stop the Apache server and confirm that is it not running. In some cases, the AppArmor controls may prevent the web server from stopping properly, and it may be necessary to stop the process manually or even reboot the server.
# service apache2 stop
* Stopping web server apache2
# service apache2 status
* apache2 is not running
Restart the Apache service.
# service apache2 start
* Starting web server apache2
Default Value:
The default mode is enforce.