Scroll to navigation



dh_apparmor - reload AppArmor profile and create local include


dh_apparmor [--manifest=manifestfile] --profile-name=profilename


dh_apparmor is a debhelper program that will create/remove the /etc/apparmor.d/local/<profilename> include file in maintainer scripts. It also reloads the specified AppArmor profile in postinst using:

apparmor_parser -r -W -T /etc/apparmor.d/<profilename>

By using '-W -T' we ensure that any abstraction updates are also pulled in.


Specify the profile name. Eg:

dh_apparmor dh_apparmor -p foo

Optionally specify a manifest file. When specified, a profile is generated by calling aa-easyprof(8) with the specified manifest file and putting the resulting profile in debian/apparmor/<profilename>. Eg, if there is a valid manifest in debian/manifest.json, then the following command will create debian/apparmor/ for the 'bar' package (you will need to clean this up via override_dh_clean or similar).

dh_apparmor --manifest=manifest.json -p bar

Because not all build environments support the apparmor kernel interface, aa-easyprof(8) is called with the --no-verify option. Use of this option requires that apparmor-utils is installed.


When using modern dh packaging techniques, dh_apparmor can be added to the override_dh_install section of the rules file. Note that for packages that have multiple binary packages, you will want to pass '-p<package name>' to dh_apparmor, otherwise dh_apparmor will add AppArmor reload commands for all packages rather than just the one that ships the profile.

In addition, you will have to install the profile itself in /etc/apparmor.d. Eg, in the above manifest file example if you are using dh_install you would add to debian/bar.install:

debian/apparmor/ etc/apparmor.d


debhelper(7) aa-easyprof(8)

This program is a part of debhelper.


Jamie Strandboge <>

2024-02-28 3.0.13-1