Ubuntu
apparmor package

apparmor service not started on fresh install

Bug #1594695 reported by Roman Fiedler
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

On fresh install of LXC, apparmor service (a dependency) is not started. In that case, it causes LXC guest startup to fail. apparmor postinstall seems only to configure the service but does not start it:

if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
        if [ -x "/etc/init.d/apparmor" ]; then
                update-rc.d apparmor start 37 S . >/dev/null || true
        fi
fi

To me it is not clear, if this is just an apparmor/lxc combination issue or may affect apparmor installs in general: in later case, machines might be unprotected till the first reboot (which might be quite some time on servers when there are no upstream security fixes requiring reboot).

# lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04

# apt-cache policy apparmor
apparmor:
  Installed: 2.10.95-0ubuntu2
  Candidate: 2.10.95-0ubuntu2
  Version table:
 *** 2.10.95-0ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

Revision history for this message
Roman Fiedler (roman-fiedler-deactivatedaccount) wrote :

Status immediately after install:

# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-sysv-generator(8)

Jun 21 07:44:20 hostname systemd[1]: apparmor.service: Unit cannot be reloaded because it is inactive.

Status after reboot:

# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
   Active: active (exited) since Tue 2016-06-21 07:48:37 UTC; 51s ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0
   Memory: 0B
      CPU: 0

Jun 21 07:48:37 hostname systemd[1]: Starting LSB: AppArmor initialization...
Jun 21 07:48:37 hostname apparmor[369]: * Starting AppArmor profiles
Jun 21 07:48:37 hostname apparmor[369]: Skipping profile in /etc/apparmor.d/disa
Jun 21 07:48:37 hostname apparmor[369]: ...done.
Jun 21 07:48:37 hostname systemd[1]: Started LSB: AppArmor initialization.
lines 1-13/13 (END)

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Roman - thanks for the report. I'm having trouble reproducing this issue and need some more information.

Are you uninstalling apparmor, rebooting, and then installing lxc (which pulls in apparmor)? I tried doing that but had different results.

After installing lxc, when you show that the status of the apparmor.service is "inactive", can you provide the output of `sudo aa-status`?

Changed in ubuntu:
status: New → Incomplete
Revision history for this message
Roman Fiedler (roman-fiedler-deactivatedaccount) wrote :

Sorry, for the delay.

No, we have an automatic setup system creating each machine from scratch. In this primary install dpkg log seems to have following sequence (see attachment, produces with "grep -E -e '(lxc|apparmor)' /var/log/dpkg.log"

As you can see, "libapparmor" is already unpacked in the debootstrap template (which was used to create a 60MB minimal system tgz for bootstrap initialization). But that should not hurt.

"apparmor" and "libapparmor-perl" are then installed as dependency from "lxc" package (same timestamp).

The "aa-status" after lxc install and before restarting apparmor manually:

apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Status after manual start (funny: other processes also stay unconfined, because they were started earlier - is it easy to "hook" a restart of those when apparmor is installed?
Also: there are networkmanager profiles without nm package or whatsoever installed):

# aa-status
apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/ntpd
   lxc-container-default
   lxc-container-default-cgns
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
0 profiles are in complain mode.
1 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/sbin/ntpd (1992)

Maybe LXC is just draining our attention from the real problem: under some circumstances, apparmor installs do not activate the profile.

I will create a plain install medium, just installing an empty machine with just the apparmor package and see, if it shows the same behaviour.

Revision history for this message
Roman Fiedler (roman-fiedler-deactivatedaccount) wrote :

dpkg.log of apparmor/lxc related packages.

Revision history for this message
Roman Fiedler (roman-fiedler-deactivatedaccount) wrote :

Now also tested on host just using debootstab for xenial, installing the kernel, reboot.

After reboot only "apt-get install apparmor"

Result:
* apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:systemd-sysv-generator(8)

aa-status:

apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

So seems to be the same also without LXC (only with LXC it will hurt as guests will not start).

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Ubuntu because there has been no activity for 60 days.]

Changed in ubuntu:
status: Incomplete → Expired
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
affects: ubuntu → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status: Expired → Won't Fix
status: Won't Fix → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Are you still able to reproduce this issue with later versions of Ubuntu?

Changed in apparmor (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for apparmor (Ubuntu) because there has been no activity for 60 days.]

Changed in apparmor (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.