apparmor fails to load at startup

Bug #375422 reported by Lorenzo Zoffoli
124
This bug affects 15 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
John Johansen

Bug Description

AppArmor can't be loaded on Ubuntu Karmic on kernel 2.6.30-2 neither on 2.6.30-4

apparmor module can't be found:
$ sudo modprobe apparmor
FATAL: Module apparmor not found.

apparmor daemon can't start of couse:
$ sudo /etc/init.d/apparmor start
 * Starting AppArmor
 * Loading AppArmor module... [fail]

affects: ubuntu → linux (Ubuntu)
tags: added: regression-potential
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is because the Apparmor patches are not applied to the 2.6.30 kernel yet.

Changed in linux (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Claudio Moretti (flyingstar16) wrote :

Jamie, you marked Bug #380326 as a duplicate of this. You mean that AppArmor and SecurityFS are the same thing or that the patches for SecurityFS have not been applied, like the AppArmor ones in this case?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

securityfs is loaded by apparmor (see /etc/apparmor/rc.apparmor.functions). It is failing to load because the apparmor patches are not forward ported yet.

Revision history for this message
SRElysian (srelysian) wrote :

Can confirm this is still not fixed as of: 2.6.30-8-generic

Andy Whitcroft (apw)
Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
status: Confirmed → In Progress
Revision history for this message
dino99 (9d9) wrote :

hi,

new karmic kernel: 2.6.31.1-generic, and apparmor still failed to load

Revision history for this message
dino99 (9d9) wrote :

Same problem with 2.6.28-12-generic on jaunty32

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

dino99,

This bug is being used to track the progress of the porting work for AppArmor in karmic. AppArmor is available in jaunty. Please file a different bug with the contents of dmesg, kern.log and outupt of '/etc/init.d/apparmor stop ; /etc/init.d/apparmor start' for your bug with jaunty.

Kees Cook (kees)
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
John Johansen (jjohansen) wrote :

In the current fix apparmor is disabled by default, while further testing is done.

To enable apparmor, on the grub command line add
security=apparmor

Revision history for this message
dino99 (9d9) wrote :

Thanks,

everything seems to be correct now:

oem@oem-desktop:~$ sudo aa-status
[sudo] password for oem:
apparmor module is loaded.
21 profiles are loaded.
9 profiles are in enforce mode.
   /usr/share/gdm/guest-session/Xsession
   /usr/sbin/cupsd
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/sbin/avahi-daemon
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/tcpdump
   /usr/lib/cups/backend/cups-pdf
   /sbin/dhclient3
   /sbin/dhclient-script
12 profiles are in complain mode.
   /usr/sbin/traceroute
   /bin/ping
   /usr/sbin/mdnsd
   /usr/sbin/ntpd
   /usr/sbin/identd
   /usr/sbin/nmbd
   /usr/sbin/dnsmasq
   /sbin/klogd
   /usr/sbin/smbd
   /sbin/syslogd
   /sbin/syslog-ng
   /usr/sbin/nscd
6 processes have profiles defined.
4 processes are in enforce mode :
   /usr/sbin/cupsd (2914)
   /usr/sbin/avahi-daemon (2887)
   /sbin/dhclient3 (3212)
   /usr/sbin/avahi-daemon (2886)
2 processes are in complain mode.
   /sbin/syslogd (2447)
   /sbin/klogd (2470)
0 processes are unconfined but have a profile defined.

Revision history for this message
dino99 (9d9) wrote :

without adding security=apparmor, the result is:

oem@oem-desktop:~$ sudo aa-status
apparmor module is loaded.
apparmor filesystem is not mounted.

So, the fix is partial

Revision history for this message
dino99 (9d9) wrote :

oem@oem-desktop:~$ sudo dpkg-reconfigure apparmor
 * Starting AppArmor profiles
 * AppArmor not available as kernel LSM. [fail]
invoke-rc.d: initscript apparmor, action "start" failed.
 * Reloading AppArmor profiles
 * AppArmor not available as kernel LSM. [fail]
invoke-rc.d: initscript apparmor, action "reload" failed.

Revision history for this message
Jonathan Davies (jpds) wrote :

dino99: Yes, that is what this bug intends to fix and the fix is now in testing stages - hence why people are being asked to add the security field. :)

Kees Cook (kees)
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
rzubaly (rzubaly)
Changed in linux (Ubuntu):
status: Fix Released → Fix Committed
status: Fix Committed → Fix Released
Revision history for this message
tlu (thomas-ludwig-gmx) wrote :

While apparmor works in Karmic with kernel 2.6.31.x, the mentioned error comes up when using the 2.6.32.x mainline kernel. Any idea how to fix this?

Revision history for this message
Dale Bowley (dale.bowley) wrote :

confirmed on my end also with Ubuntu 10.04 kernel 2.6.32-32.

output from aa_status:
apparmor module is loaded.
apparmor filesystem is not mounted.

Revision history for this message
Steve Beattie (sbeattie) wrote :

tlu: the kernel portion of apparmor had not been accepted in the 2.6.32.x kernels (it was accepted by upstream in 2.6.36). The mainline kernel packages did not include the apparmor patches.

Dale: all of the released Ubuntu 10.04 LTS kernels, including 2.6.32-32, have shipped with apparmor patches incorporated and enabled. The apparmor initscript is what mounts the securityfs/apparmor filesystem. By default, it should be located in /etc/rcS.d/; what does 'ls -l /etc/rcS.d/*apparmor' report? What does /proc/version_signature report?

Anyway, the specific issue that this bug report covered was fixed long ago. Dale, you'd probably be best off reporting a new bug, preferebly via "ubuntu-bug apparmor". Thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.