Ubuntu

apparmor fails to load at startup

Reported by Lorenzo Zoffoli on 2009-05-12
124
This bug affects 15 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
John Johansen

Bug Description

AppArmor can't be loaded on Ubuntu Karmic on kernel 2.6.30-2 neither on 2.6.30-4

apparmor module can't be found:
$ sudo modprobe apparmor
FATAL: Module apparmor not found.

apparmor daemon can't start of couse:
$ sudo /etc/init.d/apparmor start
 * Starting AppArmor
 * Loading AppArmor module... [fail]

affects: ubuntu → linux (Ubuntu)
tags: added: regression-potential
Jamie Strandboge (jdstrand) wrote :

This is because the Apparmor patches are not applied to the 2.6.30 kernel yet.

Changed in linux (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Claudio Moretti (flyingstar16) wrote :

Jamie, you marked Bug #380326 as a duplicate of this. You mean that AppArmor and SecurityFS are the same thing or that the patches for SecurityFS have not been applied, like the AppArmor ones in this case?

Jamie Strandboge (jdstrand) wrote :

securityfs is loaded by apparmor (see /etc/apparmor/rc.apparmor.functions). It is failing to load because the apparmor patches are not forward ported yet.

SRElysian (srelysian) wrote :

Can confirm this is still not fixed as of: 2.6.30-8-generic

Andy Whitcroft (apw) on 2009-06-09
Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
status: Confirmed → In Progress
dino99 (9d9) wrote :

hi,

new karmic kernel: 2.6.31.1-generic, and apparmor still failed to load

dino99 (9d9) wrote :

Same problem with 2.6.28-12-generic on jaunty32

Jamie Strandboge (jdstrand) wrote :

dino99,

This bug is being used to track the progress of the porting work for AppArmor in karmic. AppArmor is available in jaunty. Please file a different bug with the contents of dmesg, kern.log and outupt of '/etc/init.d/apparmor stop ; /etc/init.d/apparmor start' for your bug with jaunty.

Kees Cook (kees) on 2009-07-13
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
John Johansen (jjohansen) wrote :

In the current fix apparmor is disabled by default, while further testing is done.

To enable apparmor, on the grub command line add
security=apparmor

dino99 (9d9) wrote :

Thanks,

everything seems to be correct now:

oem@oem-desktop:~$ sudo aa-status
[sudo] password for oem:
apparmor module is loaded.
21 profiles are loaded.
9 profiles are in enforce mode.
   /usr/share/gdm/guest-session/Xsession
   /usr/sbin/cupsd
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/sbin/avahi-daemon
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/tcpdump
   /usr/lib/cups/backend/cups-pdf
   /sbin/dhclient3
   /sbin/dhclient-script
12 profiles are in complain mode.
   /usr/sbin/traceroute
   /bin/ping
   /usr/sbin/mdnsd
   /usr/sbin/ntpd
   /usr/sbin/identd
   /usr/sbin/nmbd
   /usr/sbin/dnsmasq
   /sbin/klogd
   /usr/sbin/smbd
   /sbin/syslogd
   /sbin/syslog-ng
   /usr/sbin/nscd
6 processes have profiles defined.
4 processes are in enforce mode :
   /usr/sbin/cupsd (2914)
   /usr/sbin/avahi-daemon (2887)
   /sbin/dhclient3 (3212)
   /usr/sbin/avahi-daemon (2886)
2 processes are in complain mode.
   /sbin/syslogd (2447)
   /sbin/klogd (2470)
0 processes are unconfined but have a profile defined.

dino99 (9d9) wrote :

without adding security=apparmor, the result is:

oem@oem-desktop:~$ sudo aa-status
apparmor module is loaded.
apparmor filesystem is not mounted.

So, the fix is partial

dino99 (9d9) wrote :

oem@oem-desktop:~$ sudo dpkg-reconfigure apparmor
 * Starting AppArmor profiles
 * AppArmor not available as kernel LSM. [fail]
invoke-rc.d: initscript apparmor, action "start" failed.
 * Reloading AppArmor profiles
 * AppArmor not available as kernel LSM. [fail]
invoke-rc.d: initscript apparmor, action "reload" failed.

Jonathan Davies (jpds) wrote :

dino99: Yes, that is what this bug intends to fix and the fix is now in testing stages - hence why people are being asked to add the security field. :)

Kees Cook (kees) on 2009-08-03
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
rzubaly (rzubaly) on 2009-10-01
Changed in linux (Ubuntu):
status: Fix Released → Fix Committed
status: Fix Committed → Fix Released
tlu (thomas-ludwig-gmx) wrote :

While apparmor works in Karmic with kernel 2.6.31.x, the mentioned error comes up when using the 2.6.32.x mainline kernel. Any idea how to fix this?

Dale Bowley (dale.bowley) wrote :

confirmed on my end also with Ubuntu 10.04 kernel 2.6.32-32.

output from aa_status:
apparmor module is loaded.
apparmor filesystem is not mounted.

Steve Beattie (sbeattie) wrote :

tlu: the kernel portion of apparmor had not been accepted in the 2.6.32.x kernels (it was accepted by upstream in 2.6.36). The mainline kernel packages did not include the apparmor patches.

Dale: all of the released Ubuntu 10.04 LTS kernels, including 2.6.32-32, have shipped with apparmor patches incorporated and enabled. The apparmor initscript is what mounts the securityfs/apparmor filesystem. By default, it should be located in /etc/rcS.d/; what does 'ls -l /etc/rcS.d/*apparmor' report? What does /proc/version_signature report?

Anyway, the specific issue that this bug report covered was fixed long ago. Dale, you'd probably be best off reporting a new bug, preferebly via "ubuntu-bug apparmor". Thanks.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers