最后更新于2021年3月4日15:10:42
今天遇到一个问题：在ubuntu上安装snap.XXXX.run格式的程序后，修改enforce mode到complain mode不成功。

[Resolved] Can’t put Apparmor profiles in enforce mode
根据这里面HuangLao的回答：AppArmor profiles should live in /etc/apparmor.d/.

Amazon-ssm-agent AppArmor profile not allowing “enforce” mode
还有这个里面jdstrand的回答：
As for ‘aa-enforce’, snapd manages its own policy in /var/lib/snapd/apparmor/profiles (with its cache in /var/cache/apparmor) and system policy tools like ‘aa-enforce’ aren’t meant to operate on them (and thus do not support this location). Even if aa-enforce could update the file, snapd ensures that the profiles in /var/lib/snapd/apparmor/profiles contain what it expects, and snapd would revert the change at some point.
snap安装程序后把自己的配置文件放在 /var/lib/snapd/apparmor/profiles 下面，但是apparmor_utils这种系统策略工具只能检测到apparmor.d下的文件。

最后解决方式：把snap目录下相关安装文件放到/etc/apparmor.d/中，执行aa-complain修改后再覆盖回去。其实本质上是修改了snap.XXXXX.run配置文件的内容。
参考：解决ubuntu环境下报apparmor=“DENIED“ operation=“exec“之类的错误