aa-cleanprof

Clean a profile to remove unused rules

$ sudo aa-cleanprof [profile_name]

$ sudo aa-cleanprof [profile1 profile2 ...]

$ sudo aa-cleanprof [[-d|--dir]] [/path/to/profiles] [profile_name]

$ sudo aa-cleanprof [[-s|--silent]] [profile_name]

$ sudo aa-cleanprof --no-reload [profile_name]

$ aa-cleanprof [[-h|--help]]

aa-cleanprof [-v] [-y] [-d <path>] [-r] [-h]

-v, --verbose
    Displays verbose output, showing more details about files being processed.

-y, --yes
    Automatically answers "yes" to all prompts, performing cleanup non-interactively. Use with extreme caution as it can lead to unintended deletions.

-d <path>, --dir <path>
    Specifies an alternative directory path to clean instead of the default /etc/apparmor.d/.

-r, --report
    Performs a dry run. Reports which files would be removed without actually deleting them. Highly recommended for testing before actual cleanup.

-h, --help
    Displays a help message and exits.

aa-cleanprof is a utility designed to help system administrators manage AppArmor profiles by identifying and removing unused, outdated, or redundant profile files. These files are typically found in /etc/apparmor.d/ and its associated cache directory. The tool is particularly valuable after software uninstallations, as it helps clean up leftover AppArmor configurations that are no longer needed, preventing clutter and potential conflicts from stale security rules.

By default, aa-cleanprof operates interactively, prompting the user for confirmation before deleting each file, which serves as a crucial safety measure against accidental removals. It can also be run in a non-interactive mode for automated scripts, though this requires careful use. It helps maintain a clean and efficient AppArmor security environment by ensuring that only relevant profiles are present on the system.

Using the -y (non-interactive) option without first performing a dry run (-r) or careful manual verification can lead to the unintended deletion of active or custom AppArmor profiles.

aa-cleanprof typically requires root privileges to operate effectively, as it modifies system configuration files within directories like /etc/apparmor.d/.

It primarily removes profiles that do not correspond to currently installed packages. Custom profiles created manually may also be flagged if their origin isn't clearly discernible by the tool.

By default, aa-cleanprof runs in an interactive mode, requiring user confirmation for each profile file it proposes to delete. This interactive behavior is a critical safety feature to prevent accidental or unwanted removals.

Due to its operation on system-wide configuration files and directories, aa-cleanprof must be executed with root privileges (e.g., using sudo) to function correctly and apply changes.

AppArmor, originally developed by Immunix and later acquired by Novell (now SUSE), became part of the Linux kernel mainline in version 2.6.36. aa-cleanprof has been a fundamental utility within the AppArmor toolset since its early development, evolving alongside the core project to provide essential profile management and system hygiene capabilities.

apparmor(7), aa-genprof(8), aa-enforce(8), aa-complain(8), aa-disable(8), aa-logprof(8), aa-status(8)