AppArmor protects Linux Mint by adding mandatory access control on top of normal file permissions. When you need to enable or disable AppArmor on Linux Mint, the important choice is scope: disable one profile, change the profile loader, or turn off AppArmor at boot and then restore it cleanly.
These steps target Ubuntu-based Linux Mint 22.x and 21.x, not LMDE. Mint inherits most AppArmor tooling from its Ubuntu base, but profile counts and user namespace behavior can differ, so check the live state before changing anything. If the machine is Ubuntu instead, use the separate guide to enable or disable AppArmor on Ubuntu.
Check AppArmor Status on Linux Mint
Start with read-only checks that separate the kernel state, the systemd profile loader, and the loaded profile set. A normal enabled Mint system reports Y, an active and enabled service, and an aa-status summary with loaded profiles. The profile counts in the sample output are examples, not pass/fail thresholds, because they vary by Mint release, desktop edition, and installed packages.
cat /sys/module/apparmor/parameters/enabled
systemctl is-active apparmor
systemctl is-enabled apparmor
sudo aa-status | head -n 3Y active enabled apparmor module is loaded. 121 profiles are loaded. 25 profiles are in enforce mode.
These commands use
sudobecause AppArmor profile inspection, profile loading, service state, and bootloader changes require administrator access. If your account cannot run privileged commands yet, set that up with create and add users to sudoers on Linux Mint before continuing.
The AppArmor service is a oneshot profile loader. In full systemctl status output, active (exited) is normal because the unit loads profiles, exits, and leaves enforcement inside the kernel. For compact output without timestamps, inspect the unit properties directly.
systemctl show apparmor --property=LoadState,ActiveState,SubState,UnitFileStateLoadState=loaded ActiveState=active SubState=exited UnitFileState=enabled
If a profile-management command such as aa-disable, aa-enforce, or aa-complain is missing, install apparmor-utils. Linux Mint can have AppArmor active and aa-status available even when the extra management helpers are not installed.
command -v aa-disableIf no path prints, install the helper package before using profile-management commands.
sudo apt update
sudo apt install apparmor-utilsDisable AppArmor on Linux Mint
Choose the smallest disable path that solves the problem. Disabling one profile keeps the rest of AppArmor active, while disabling AppArmor globally removes the mandatory access control layer for the whole system after a reboot.
| Task | Command Path | Effect | Best For |
|---|---|---|---|
| Disable one profile | aa-disable | Immediate and profile-specific | One app or service profile is causing a confirmed issue |
| Disable AppArmor globally | apparmor=0 boot argument | Applies after reboot and disables AppArmor kernel mediation | Temporary broad troubleshooting or lab systems |
| Stop or disable the systemd unit | systemctl stop apparmor or systemctl disable apparmor | Changes loader state but can leave kernel mediation and profiles active | Rare profile-loader testing, not full disablement |
Do not globally disable AppArmor to fix one application unless you have already confirmed that a specific profile change is not enough. A broad disable removes confinement for unrelated desktop apps, services, snaps, and helper processes.
Disable a Single AppArmor Profile
Use sudo aa-status for the loaded profile list, then confirm the matching profile file under /etc/apparmor.d. The exact profile inventory varies by Mint release, desktop edition, and installed packages, but these common profile files are present on current Mint 22.x and 21.x systems.
ls /etc/apparmor.d/lsb_release /etc/apparmor.d/usr.bin.man /etc/apparmor.d/usr.sbin.cupsd/etc/apparmor.d/lsb_release /etc/apparmor.d/usr.bin.man /etc/apparmor.d/usr.sbin.cupsd
The example disables the lsb_release profile because it is small and commonly present on Mint systems. Replace it with the exact profile that matches your target application or service.
sudo aa-disable /etc/apparmor.d/lsb_releaseDisabling /etc/apparmor.d/lsb_release.
AppArmor disables the profile by creating a symlink under /etc/apparmor.d/disable/. Confirm that symlink before assuming the profile is disabled.
readlink /etc/apparmor.d/disable/lsb_release/etc/apparmor.d/lsb_release
Disable AppArmor Globally After Reboot
Full AppArmor disablement should be deliberate and reversible. On GRUB-based Linux Mint systems, add a small drop-in that appends apparmor=0 to the kernel command line, regenerate the GRUB menu, and reboot.
sudo install -d -m 755 /etc/default/grub.d
printf '%s\n' 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX apparmor=0"' | sudo tee /etc/default/grub.d/99-disable-apparmor.cfg > /dev/null
sudo update-grub
sudo rebootAfter the reboot, verify the kernel state, service state, and AppArmor filesystem state. A globally disabled system reports N, an inactive profile-loader service, and an aa-status message that the AppArmor filesystem is not mounted.
cat /sys/module/apparmor/parameters/enabled
systemctl is-active apparmor
sudo aa-statusN inactive apparmor filesystem is not mounted. apparmor module is loaded.
Do not treat systemctl stop apparmor or systemctl disable apparmor as equivalent to the boot argument. On Linux Mint, stopping the oneshot unit can make the service state read inactive while aa-status still shows profiles loaded in the kernel.
Re-enable AppArmor on Linux Mint
Re-enable the same layer you disabled. A disabled profile needs its disable symlink removed and the profile reloaded. A globally disabled system needs the boot argument removed and a reboot.
Re-enable a Disabled AppArmor Profile
Remove the disable symlink, reload the profile into the kernel, and place it back into enforce mode.
sudo rm -f /etc/apparmor.d/disable/lsb_release
sudo apparmor_parser -r /etc/apparmor.d/lsb_release
sudo aa-enforce /etc/apparmor.d/lsb_releaseSetting /etc/apparmor.d/lsb_release to enforce mode.
Confirm the profile appears in the loaded profile list again. The lsb_release profile is a named transition profile, so the profile list shows lsb_release rather than /usr/bin/lsb_release.
sudo aa-status | grep -F 'lsb_release'lsb_release
Re-enable AppArmor After a Global Disable
Remove the GRUB drop-in that added apparmor=0, regenerate GRUB, make sure the AppArmor service is enabled for boot, and reboot.
sudo rm -f /etc/default/grub.d/99-disable-apparmor.cfg
sudo update-grub
sudo systemctl enable apparmor
sudo rebootAfter the reboot, confirm AppArmor returned to the normal enabled state. The key signals are Y, active, enabled, and loaded profiles; the exact profile counts can differ.
cat /sys/module/apparmor/parameters/enabled
systemctl is-active apparmor
systemctl is-enabled apparmor
sudo aa-status | head -n 3Y active enabled apparmor module is loaded. 121 profiles are loaded. 25 profiles are in enforce mode.
Troubleshoot AppArmor Enable and Disable Issues
aa-disable or aa-enforce Command Not Found
Install apparmor-utils when helper commands are missing. Linux Mint can still have AppArmor enabled even when those profile-management tools are absent.
sudo apt update
sudo apt install apparmor-utilsAppArmor Still Looks Enabled After systemctl stop or disable
This is expected on Linux Mint. The AppArmor service loads profiles and exits, while enforcement remains in the kernel. Stopping the service changes the loader state, but it does not unload the kernel module or remove already loaded profiles. The important values are the inactive service before restart, Y for kernel mediation, loaded profiles, then active and enabled service state after restart.
sudo systemctl stop apparmor
systemctl is-active apparmor
cat /sys/module/apparmor/parameters/enabled
sudo aa-status | head -n 3
sudo systemctl start apparmor
sudo systemctl enable apparmor > /dev/null 2>&1
systemctl is-active apparmor
systemctl is-enabled apparmorinactive Y apparmor module is loaded. 121 profiles are loaded. 25 profiles are in enforce mode. active enabled
Use aa-disable for one profile or the apparmor=0 boot argument for a global disable. Restart and re-enable the service after this check so future boots continue loading profiles normally.
AppArmor Stays Disabled After Re-enabling the Service
If cat /sys/module/apparmor/parameters/enabled still prints N, the kernel is still booting with apparmor=0. Check the live kernel command line, remove the remaining boot argument from GRUB or another bootloader configuration source, regenerate the boot menu, and reboot.
cat /proc/cmdlineA Profile Does Not Load After Re-enabling
Parse the profile before loading it. Syntax errors, stale paths, or a broken local edit can prevent AppArmor from accepting the profile.
sudo apparmor_parser -Q /etc/apparmor.d/lsb_release
sudo apparmor_parser -r /etc/apparmor.d/lsb_releaseLinux Mint Sandbox Errors Are Different from Ubuntu
Browser, Electron, IDE, and AppImage sandbox errors are not automatically proof that AppArmor should be disabled. Check the live user namespace setting before copying an Ubuntu workaround into Linux Mint.
sysctl -n kernel.apparmor_restrict_unprivileged_userns 2>/dev/null || echo MISSING| Result | Meaning | Next Step |
|---|---|---|
0 | The Ubuntu-style AppArmor user namespace restriction is not active | Look for package, profile, launcher, or permission evidence before changing AppArmor |
1 | The restriction is active | Capture the original value, test only temporarily, and restore it afterward |
MISSING | The kernel setting is not exposed on that Mint system | Do not use that Ubuntu-specific setting as the explanation |
If the key exists and you need a temporary diagnostic test, capture the original value first and restore that exact value after testing. Prefer the package vendor’s supported profile, package source, or launcher guidance for any persistent fix.
if original_userns=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns 2>/dev/null); then
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns="$original_userns"
else
echo "kernel.apparmor_restrict_unprivileged_userns is not available on this system."
fiDo Not Purge AppArmor Just to Disable It
Removing the apparmor package is a rougher change than disabling a profile or using a reversible boot argument. Purging AppArmor can remove Linux Mint’s default security tooling and create package-management side effects without giving you a cleaner rollback path.
Official AppArmor References
- AppArmor quick reference for common
aa-status,apparmor_parser,aa-complain, andaa-enforcecommands. - AppArmor documentation for profile syntax and deeper policy work.
- Ubuntu AppArmor documentation for Ubuntu-family profile management,
apparmor-utils, and boot-time disablement behavior.
Related Linux Mint Security Tasks
- Install OpenSSH on Linux Mint before depending on remote access through AppArmor-related reboots.
- Install and enable Snap on Linux Mint if the issue belongs to snapd setup rather than host AppArmor state.
Conclusion
AppArmor is either active again with profiles loaded, or intentionally disabled through a reversible GRUB drop-in that you can remove later. For most Linux Mint systems, keep global AppArmor enabled and disable only the confirmed problem profile while troubleshooting. That preserves Mint’s broader application confinement instead of turning off a system-wide security layer.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>