From Linux Man Pages
complain - set AppArmor security profile to complain mode.
SYNOPSIS
complain [ -d /path/to/profiles ] [program1 program2...] OR complain [
-d /path/to/profiles ] [profile1 profile2...]
DESCRIPTION
The complain: or learning mode AppArmor tool detects violations of
AppArmor profile rules, such as the profiled program accessing files
not permitted by the profile. The violations are permitted, but also
logged. To improve the profile, turn complain mode on, run the program
through a suite of tests to generate log events that characterize the
program.s access needs, then post-process the log with the AppArmor
tools to transform log events into improved profiles.
Manually activating complain mode (using the command line) adds a flag
to the top of the profile so that ./bin/foo {. becomes ./bin/foo
flags=(complain) {.. To use complain mode, open a terminal window and
type one of the following lines as a root user.
-If the example program (program1) is in your path, type: complain
[program1 program2 ...]
-If the program is not in your path, you should specify the entire
path, as follows: complain /sbin/program1
-If the profiles are not in /etc/subdomain.d, type the following to
override the default location: complain /path/to/profiles/ program1
-Alternately, you can specify the profile for program1, as follows:
complain /etc/subdomain.d/sbin.program1
Each of the above commands will activate complain mode for the pro-
files/programs listed. The command can either list programs or pro-
files. If the program name does not include its entire path, then com-
plain searches $PATH for the program. So for instance .complain
/usr/sbin/*. will find profiles associated with all of the programs in
/usr/sbin and put them into complain mode, and .complain /etc/subdo-
main.d/*. will put all of the profiles in /etc/subdomain.d into com-
plain mode.
BUGS None.
RELATED
subdomain(7), subdomain.d(5), enforce(1), and hange_hat(2).
CATEGORY