This Linux error occurs when AppArmor, a mandatory access control security system, blocks Git from performing operations such as cloning, pushing, or accessing files. AppArmor profiles restrict what resources applications can access, and a misconfigured or overly restrictive profile can prevent Git from functioning properly.
This error indicates that the Linux AppArmor security module is preventing Git from executing operations it needs to perform. AppArmor (Application Armor) is a Mandatory Access Control (MAC) security system that confines programs to a limited set of resources using per-program profiles. When Git is blocked by AppArmor, it means the security policy explicitly denies Git (or the process running Git) from accessing certain files, directories, network resources, or system capabilities. This commonly happens in the following scenarios: 1. **Snap-packaged Git**: When Git is installed as a snap package, it runs under AppArmor confinement that may restrict access to directories outside the snap sandbox. 2. **Container environments**: Git running inside LXD, Docker containers, or other containerized environments where AppArmor profiles are enforced. 3. **Custom AppArmor profiles**: System administrators may have deployed restrictive AppArmor profiles that inadvertently block Git operations. 4. **Ubuntu 23.10+ user namespace restrictions**: Starting with Ubuntu 23.10, AppArmor restricts unprivileged user namespace creation, which can affect Git operations that rely on namespace isolation. The AppArmor denial is logged in the system log with a message like: ``` audit: apparmor="DENIED" operation="open" profile="snap.git.git" name="/path/to/file" ``` Understanding whether Git itself is confined or whether the parent process (terminal, IDE, snap runtime) is confined is crucial for resolving this issue.
First, check the system logs to understand exactly what AppArmor is denying:
View recent AppArmor denials:
# Check dmesg for AppArmor messages
sudo dmesg | grep -i apparmor | tail -20
# Check system log for audit messages
sudo grep "apparmor.*DENIED" /var/log/syslog | tail -20
# Or use journalctl (systemd systems)
sudo journalctl -k | grep -i apparmor | tail -20
# Stream live AppArmor denials
sudo dmesg -w | grep apparmorUnderstand the denial message:
A typical AppArmor denial looks like:
audit: apparmor="DENIED" operation="open" profile="snap.git.git" name="/home/user/project/.git/config" pid=12345 comm="git" requested_mask="r" denied_mask="r"Key fields to examine:
- profile: Which AppArmor profile is enforcing the denial (e.g., snap.git.git)
- operation: What operation was blocked (open, read, write, exec, etc.)
- name: The file or resource being accessed
- requested_mask: What access was requested (r=read, w=write, x=execute)
- denied_mask: What access was denied
This information is essential for determining the correct fix.
Determine which AppArmor profiles are active and their enforcement mode:
Check overall AppArmor status:
# View AppArmor status (requires root)
sudo aa-status
# Sample output:
# apparmor module is loaded.
# 47 profiles are loaded.
# 45 profiles are in enforce mode.
# 2 profiles are in complain mode.
# 10 processes have profiles defined.Look for Git-related profiles:
# List all loaded profiles
sudo aa-status | grep -i git
# Check for snap Git profiles
ls -la /var/lib/snapd/apparmor/profiles/ | grep git
# Check system AppArmor profiles
ls -la /etc/apparmor.d/ | grep -i gitCheck if Git is running under a profile:
# Find Git process and its profile
ps auxZ | grep git
# Or check which profile is confining a process
sudo aa-status --json | jq '.processes'Install AppArmor utilities if missing:
# Ubuntu/Debian
sudo apt install apparmor-utils
# Arch Linux
sudo pacman -S apparmorThis step helps identify whether Git itself has a profile or if the issue is with a parent process profile.
For immediate relief, switch the blocking profile to complain mode, which logs violations without blocking them:
Put a profile in complain mode:
# For system profiles
sudo aa-complain /etc/apparmor.d/profile.name
# For snap profiles (use the profile name from aa-status)
sudo aa-complain snap.git.git
# Or directly reference the profile file
sudo aa-complain /var/lib/snapd/apparmor/profiles/snap.git.gitVerify the profile is now in complain mode:
sudo aa-status | grep -A5 "complain mode"Test Git operations:
# Try the previously failing command
git status
git pullImportant notes:
- Complain mode is for troubleshooting only; it reduces security
- Use this to confirm AppArmor is the cause before making permanent fixes
- Switch back to enforce mode once you've identified and fixed the root cause:
# Return to enforce mode
sudo aa-enforce /etc/apparmor.d/profile.nameIf Git works in complain mode, you've confirmed AppArmor is the issue.
If Git is installed via snap, it has strict confinement that limits file access:
Check if Git is a snap:
which git
# If output is /snap/bin/git, it's a snap package
snap list gitOption 1: Connect required interfaces
# List available interfaces
snap connections git
# Connect to removable-media for access to /media, /mnt, etc.
sudo snap connect git:removable-media
# Connect to home for full home directory access
sudo snap connect git:homeOption 2: Use classic Git from apt instead of snap
# Remove snap Git
sudo snap remove git
# Install Git from apt (not confined)
sudo apt install git
# Verify installation
which git # Should show /usr/bin/gitOption 3: Debug snap AppArmor denials
# Install the snap debugging tool
sudo snap install snappy-debug
# Run the debug scanner
sudo snappy-debug.security scanlog
# In another terminal, run the failing Git command
git clone https://github.com/user/repo.git /path/to/destinationThe snappy-debug tool will suggest which interfaces or manual profile modifications might be needed.
Reload snap AppArmor profiles:
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/*
sudo systemctl restart snapd.apparmor.serviceIf Git fails inside LXD, Docker, or other containers due to AppArmor:
For LXD containers:
# Check container security settings
lxc config show mycontainer | grep apparmor
# Disable AppArmor for the container (reduces security)
lxc config set mycontainer raw.lxc "lxc.apparmor.profile=unconfined"
lxc restart mycontainer
# Or use a specific AppArmor profile
lxc config set mycontainer raw.lxc "lxc.apparmor.profile=lxc-container-default-with-nesting"For Docker containers:
# Run container with AppArmor disabled (reduces security)
docker run --security-opt apparmor=unconfined myimage
# Or in docker-compose.yml:
# services:
# myservice:
# security_opt:
# - apparmor:unconfinedFix host-level Docker AppArmor issues:
# Reload Docker's default AppArmor profile
sudo apparmor_parser -r /etc/apparmor.d/docker
# Or remove and re-add the profile
sudo apparmor_parser -R /etc/apparmor.d/docker
sudo apparmor_parser -a /etc/apparmor.d/dockerCheck for nested container issues:
# View AppArmor denials from container perspective
dmesg | grep apparmor
# Ensure nesting is enabled if running containers inside containers
lxc config set mycontainer security.nesting trueStarting with Ubuntu 23.10, AppArmor restricts unprivileged user namespace creation, which can affect some Git operations:
Check if this restriction is affecting you:
# Look for userns_create denials
dmesg | grep "userns_create"
# Check the kernel settings
sysctl kernel.apparmor_restrict_unprivileged_userns
sysctl kernel.apparmor_restrict_unprivileged_unconfinedTemporary workaround (testing only):
# Disable user namespace restrictions temporarily
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0Permanent workaround (if needed):
# Create a sysctl configuration file
echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee /etc/sysctl.d/99-userns.conf
sudo sysctl --systemBetter approach - create an AppArmor profile for Git:
# Check if a profile already exists
ls /etc/apparmor.d/ | grep git
# If Git needs user namespace access, create a permissive profile
# (This is an advanced operation - see Advanced Notes)Note: Disabling user namespace restrictions reduces system security. Only do this if you understand the implications and have other security measures in place.
If you need to create or modify an AppArmor profile to allow specific Git operations:
Locate existing profiles:
# System profiles
ls /etc/apparmor.d/
# Local overrides (preferred for modifications)
ls /etc/apparmor.d/local/
# Snap profiles
ls /var/lib/snapd/apparmor/profiles/Use aa-logprof to suggest profile updates:
# Run the failing Git command first, then:
sudo aa-logprof
# This interactive tool will scan logs and suggest profile additionsManually add rules to local overrides:
# Create or edit a local override file
sudo nano /etc/apparmor.d/local/usr.bin.gitExample rules to add:
# Allow Git to read/write in home directory
owner @{HOME}/** rw,
# Allow Git to access .git directories anywhere
/**/.git/ r,
/**/.git/** rwk,
# Allow network access for remote operations
network inet stream,
network inet6 stream,
# Allow Git to execute helper programs
/usr/lib/git-core/* ix,
/usr/bin/ssh ix,Reload the profile after changes:
# Reload specific profile
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.git
# Or reload all profiles
sudo systemctl reload apparmorTest the updated profile:
# Run Git command and check for denials
git status
dmesg | tail -5 | grep apparmorAs a last resort, you can disable AppArmor protection for Git entirely:
Disable a specific profile:
# Create a symlink to disable the profile
sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name
# For example, if there's a Git profile:
sudo ln -s /etc/apparmor.d/usr.bin.git /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.gitRe-enable a disabled profile:
sudo rm /etc/apparmor.d/disable/profile.name
sudo apparmor_parser -a /etc/apparmor.d/profile.nameDisable AppArmor system-wide (strongly not recommended):
# Via kernel parameter
sudo nano /etc/default/grub
# Change: GRUB_CMDLINE_LINUX=""
# To: GRUB_CMDLINE_LINUX="apparmor=0"
sudo update-grub
sudo reboot
# Or via systemd
sudo systemctl stop apparmor
sudo systemctl disable apparmorWarning: Disabling AppArmor removes an important security layer. Only disable profiles or the entire system if:
- You are in a development/testing environment
- You have alternative security measures in place
- You fully understand the security implications
Prefer using complain mode or creating permissive profiles over complete disabling.
After applying fixes, thoroughly test Git functionality:
Test basic operations:
# Navigate to your repository
cd /path/to/repo
# Test status
git status
# Test log
git log --oneline -5
# Test diff
git diff HEAD~1Test network operations:
# Test fetch
git fetch origin
# Test pull
git pull
# Test clone to a new location
git clone https://github.com/octocat/Hello-World.git /tmp/test-clone
rm -rf /tmp/test-cloneTest write operations:
# Create a test file and commit
echo "test" > test-apparmor.txt
git add test-apparmor.txt
git commit -m "Test AppArmor fix"
git reset --hard HEAD~1 # Undo test commitVerify no new denials appear:
# Check dmesg for any new AppArmor denials
sudo dmesg | grep apparmor | tail -10
# Monitor in real-time during operations
sudo dmesg -w | grep apparmor &
git pull
# Press Ctrl+C to stop monitoringTest in previously problematic contexts:
If the issue was specific to an IDE or container, test Git within that context as well.
If issues persist:
# Generate a full AppArmor report
sudo aa-status --verbose > apparmor-report.txt
sudo dmesg | grep apparmor >> apparmor-report.txt
# Review the report or share with support### Understanding AppArmor Architecture
AppArmor is a Linux Security Module (LSM) that provides Mandatory Access Control (MAC). Unlike traditional UNIX Discretionary Access Control (DAC) where file owners set permissions, MAC policies are enforced by the system administrator and cannot be overridden by users.
Key concepts:
1. Profiles: Text files defining what resources a program can access
2. Modes:
- Enforce: Violations are blocked and logged
- Complain: Violations are logged but allowed
- Disabled: Profile is not loaded
3. Capabilities: POSIX capabilities the program can use (e.g., CAP_NET_BIND_SERVICE)
4. File rules: Path-based access controls (read, write, execute, etc.)
5. Network rules: Network family and socket type restrictions
### Profile Syntax Basics
AppArmor profiles use a C-like syntax:
# Example profile structure
/usr/bin/git {
# Include common abstractions
#include <abstractions/base>
#include <abstractions/nameservice>
# Allow reading Git configuration
/etc/gitconfig r,
owner @{HOME}/.gitconfig r,
# Allow access to .git directories
/**/.git/ r,
/**/.git/** rwk,
# Allow executing Git helpers
/usr/lib/git-core/* ix,
# Network access for remotes
network inet stream,
network inet6 stream,
# Allow DNS resolution
/etc/resolv.conf r,
}Common file access modes:
- r - read
- w - write
- a - append
- x - execute (inherit profile)
- ix - execute inheriting current profile
- px - execute with dedicated profile
- ux - execute unconfined
- k - file locking
- l - link
### Snap Confinement Levels
Snap packages have three confinement levels:
1. strict (default): Full AppArmor and seccomp confinement
2. classic: No confinement (like apt packages)
3. devmode: Confinement disabled for development
# Check snap confinement level
snap info git | grep confinement
# Install a snap in classic mode (if available)
sudo snap install git --classic
# Install in devmode (for debugging)
sudo snap install git --devmode### Debugging with aa-logprof and aa-genprof
For creating or updating profiles:
# Generate a new profile interactively
sudo aa-genprof /usr/bin/git
# Then run Git commands in another terminal
# Return and press 'S' to scan, 'F' to finish
# Update existing profile based on log
sudo aa-logprofThe tool will suggest rules based on observed denials.
### Network-Specific AppArmor Rules
If Git is being blocked from network operations:
# Allow all TCP connections
network inet stream,
network inet6 stream,
# Allow DNS
network inet dgram,
network inet6 dgram,
# Allow Unix sockets (for credential helpers)
network unix stream,### Troubleshooting SSH with Git and AppArmor
If SSH-based Git operations fail:
# Check if SSH is confined
ps auxZ | grep ssh
# SSH might need its own profile adjustments
# Check for SSH-related denials
dmesg | grep -E "apparmor.*ssh"Rules to add for SSH support:
/usr/bin/ssh ix,
owner @{HOME}/.ssh/** r,
owner @{HOME}/.ssh/known_hosts rw,### AppArmor vs SELinux
Some systems may have SELinux instead of (or in addition to) AppArmor:
# Check which LSM is active
cat /sys/kernel/security/lsm
# Check SELinux status
getenforce # If SELinux
# Check AppArmor status
aa-status # If AppArmorIf both are present, ensure they're not conflicting.
### Kernel Parameters for AppArmor
# View all AppArmor kernel parameters
sysctl -a | grep apparmor
# Key parameters:
# kernel.apparmor_restrict_unprivileged_userns - User namespace restrictions
# kernel.apparmor_restrict_unprivileged_unconfined - Unconfined process restrictions### Recovery from AppArmor Issues
If AppArmor completely breaks your system:
1. Boot with AppArmor disabled:
- At GRUB menu, press 'e' to edit
- Add apparmor=0 to the linux line
- Press Ctrl+X to boot
2. Fix the problematic profile:
# Once booted, fix or remove the profile
sudo rm /etc/apparmor.d/broken.profile
sudo systemctl restart apparmor3. Reboot normally
### Enterprise Considerations
In managed environments:
- AppArmor profiles may be deployed via configuration management
- Contact your security team before modifying profiles
- Document any profile changes for audit purposes
- Consider using complain mode in staging before enforce in production
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git