apparmor does not load profiles - unable to register Apparmor" message

Bug #177924 reported by Harvey Muller on 2007-12-21
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Kees Cook

Bug Description

Binary package hint: apparmor

I am currently testing a recent daily version of Hardy Alpha 1 Desktop amd64, dated 20071218. This issue is not present in Gutsy.

The apparmor module appears not to be properly built. The problem presents itself initially in the dmesg log facility. Apparmor emits the following message:

    AppArmor: Unable to register Apparmor

 "sudo /etc/init.d/apparmor start" results in:

    $Loading AppArmor module: Failed.

"sudo modprobe apparmor" results in:

    FATAL: Module apparmor not found.

"sudo find / -name apparmor.ko -print" results in:


"sudo insmod /lib/modules/2.6.22-14-generic/ubuntu/security/apparmor/apparmor.ko" results in:

    insmod: error inserting '/lib/modules/2.6.22-14-generic/ubuntu/security/apparmor/apparmor.ko': -1 Invalid module format

I don't think this is a kernel bug, but will attach the standard kernel bug attachments just in case.

Any questions will be answered promptly.


Harvey Muller (hlmuller) wrote :
Harvey Muller (hlmuller) wrote :
Harvey Muller (hlmuller) wrote :
Harvey Muller (hlmuller) wrote :
Karl.Mo (partyboi2) wrote :

I also am having the same problem and receiving the same output for the commands listed above. However I am using a 32bit machine.

Nanley Chery (nanoman) wrote :

I can confirm this on two 32-bit computers running Hardy Alpha 2.

Changed in apparmor:
status: New → Confirmed

Confirmed on Ubuntu 8.04 32 bit running kernel 2.6.24.

I can confirm this on the latest Ubuntu 8i.04 32bit alpha2 version.

sam tygier (samtygier) wrote :

i am testing on powerpc. booting fails. the last message is
[ 1.919498] AppArmor: Unable to register AppArmor

then i am left at a flashing prompt.

kaparen (kaparen) wrote :

also I can confirm this, running 32-bit Hardy Alpha 2.

Nanley Chery (nanoman) wrote :

OK, no more confirmation posts. I think this bug is pretty much confirmed.

Kees Cook (kees) wrote :

New upstream tools and scripts are being built now for the newer AppArmor release in the 2.6.24 kernel.

Changed in apparmor:
assignee: nobody → keescook
status: Confirmed → In Progress

Additionally, there is a bug in the module load order that will be fixed shortly. Until the next kernel release is available, we will need to boot with "capability.disable=1" as a kernel parameter to keep the redundant capability LSM out of the way so that AppArmor can load.

Kees Cook (kees) wrote :

This is fixed in linux 2.6.24-4.7 (note that linux-meta has not yet been updated).

Changed in apparmor:
status: In Progress → Fix Released

App armor is not loading profiles for me on newly upgraded hardy.
Calling aa-enforce or apparmor_parser --add or --replace cause apparmor_parser to hang at 100% cpu requiring manual reboot.

Booting with capability.disable=1 did not have any effect.

~#uname -a
Linux Fray 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686 GNU/Linux

~#modprobe apparmor
FATAL: Module apparmor not found.

~# /etc/init.d/apparmor force-reload
Reloading AppArmor profiles Warning: found /etc/apparmor.d/force-complain/usr.sbin.mysqld, forcing complain mode
: done.

Attached a messages log of attempting to enforce a relatively simple profile:

/home/reet/dostuff.bash flags=(complain) {
 /bin/* rmix,
 /usr/lib/locale/* r,
 /proc/meminfo r,
 /lib/ld*so* rmix,
 /etc/locale* r,
 /dev/tty rw,
 /lib/* rmix,
 /etc/ r,
 /lib/tls/i686/cmov/lib*.so mr,
 /usr/lib/** r,
 /usr/share/** r,
 /home/reet/dostuff.bash r,
 /tmp/bleep rw,

This worked fine as far as enforcing and complaining prior to dist-upgrade.

Am I doing something obviously wrong here?


I think the issue may be an old profile sitting in enforce mode during dist-upgrade that didn't get handled properly.

I was able to load the profile from scratch properly on a clean heron install on another machine.

tldr "nevermind i fixed it"

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers