aa-complain

Set policy to complain mode

$ sudo aa-complain [path/to/profile1 path/to/profile2 ...]

$ sudo aa-complain [[-d|--dir]] [path/to/profiles]

aa-complain [-d|--dir <dir>] <profile> [<profile> ...]

-d <dir>, --dir <dir>
    Specify custom directory for AppArmor profile files instead of default /etc/apparmor.d/

-h, --help
    Display usage information and exit

The aa-complain command is part of the AppArmor security toolkit on Linux systems. AppArmor is a mandatory access control (MAC) system that confines programs to a limited set of resources.

In complain mode, specified profiles log policy violations to the system log (typically /var/log/syslog or /var/log/audit/audit.log) without enforcing restrictions. This allows administrators to tune profiles by observing real-world access attempts before switching to enforce mode.

Running aa-complain profile_name (as root) creates a symlink in /etc/apparmor.d/force-complain/ pointing to the profile file, and updates the kernel's loaded profiles via /sys/kernel/security/apparmor/.load. Multiple profiles can be specified.

Ideal for development, testing, or debugging AppArmor policies. Use aa-enforce to revert to enforcement. Always verify with aa-status. Requires AppArmor kernel module loaded and utils package installed.

Requires root privileges. Profiles must exist. Does not reload kernel if unchanged. Check aa-status after use. Not for production enforcement.

aa-complain /usr/bin/myapp
Sets /usr/bin/myapp profile to complain mode.

aa-complain -d /custom/profiles usr.sbin.nginx
Uses custom dir for nginx profile.

Symlinks profile to /etc/apparmor.d/force-complain/<name> and writes to kernel interface.

Introduced with AppArmor 2.x by Canonical/Immunix. Evolved in Ubuntu; now in apparmor-utils package across distros like Debian, SUSE. Key for profile tuning since ~2009.

aa-enforce(1), aa-status(1), aa-logprof(1), apparmor_parser(8)