appamor module conflicts with capabilty module - cannot load apparmor module (Resource temporarily unavailable)

Hi! Thanks for the report. Did you have the "apparmor" package
installed prior to building/installing the AA module? There should be
an "rmmod" in the apparmor postinst, and a module alias installed that
loads the apparmor module instead of the capabilities module.

Hi,

Kees Cook skrev:
> Hi! Thanks for the report. Did you have the "apparmor" package
> installed prior to building/installing the AA module?

I am pretty sure I did.

> There should be
> an "rmmod" in the apparmor postinst, and a module alias installed that
> loads the apparmor module instead of the capabilities module.
>

There is an rmmod in the postinst of the module - and this helps the
user start up apparmor right after installing the module. But as far as
I can tell there is no setting of alias in any of the apparmor files so
after booting apparmor is broken.

root@thimk:/var/lib/dpkg/info# grep alias apparmor*.postinst
root@thimk:/var/lib/dpkg/info#
root@thimk:/var/lib/dpkg/info# grep capa apparmor*.postinst
apparmor-modules-2.6.20-15-generic.postinst: rmmod capability
2>/dev/null || true

Per.

Right, the rmmod makes way for the /etc/modprobe.d/apparmor file, which reads:

 # Overload the generic "capability" security module
 alias capability apparmor

From a reboot, do you have steps I can follow that result in unexpected behavior? I can't reproduce the problem you're describing. (AFAICT, that error should only be possible if "apparmor" wasn't installed, but "apparmor-modules" was and you tried to load them.)

The module is loaded early - in the initrd. So a run of
# update-initramfs -u
seem to solve the issue. Maybe this should be added to the postinst of
the apparmor-modules?

Per.

I've rearranged when and how the apparmor module gets loaded. It's not very pretty, but it does appear to work correctly. The new version has been uploaded.

Description: Ubuntu 12.04.2 LTS
Release: 12.04

apparmor:
  Installed: 2.7.102-0ubuntu3.7
  Candidate: 2.7.102-0ubuntu3.7
  Version table:
 *** 2.7.102-0ubuntu3.7 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.7.102-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

Excepted Outcome: apparmor should have been automatically loaded after installation of the package apparmor.

Actual Outcome: apparmor is not loaded. Running "apparmor_status" gives the following error:

apparmor module is not loaded.

More information: This is a Ubuntu 12.04 VPS running on OpenVZ.

Should I file a new bug?

A failure under OpenVZ is likely an entirely different issue. Please open a new bug, and attach the output of
  ls /sys/module/apparmor

and
  mount