Bug#959811: apparmor: Failed to start Load AppArmor profiles

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#959811: apparmor: Failed to start Load AppArmor profiles

Marco-6
Package: apparmor
Version: 2.13.4-1+b1
Severity: normal

Dear Maintainer,

   * What led up to the situation?

I was getting an error message when starting apparmor:

# systemctl status apparmor.service

● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2020-05-05 13:02:26 -03; 2min 3s ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
   Main PID: 6936 (code=exited, status=1/FAILURE)

systemd[1]: Starting Load AppArmor profiles...
apparmor.systemd[6936]: Restarting AppArmor
apparmor.systemd[6936]: Reloading AppArmor profiles
apparmor.systemd[6955]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/abstractions/authentication at line 49: Could not open 'abstractions/smbpass'
apparmor.systemd[7039]: AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/abstractions/authentication at line 49: Could not open 'abstractions/sm>
apparmor.systemd[6936]: Error: At least one profile failed to load
systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: apparmor.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Load AppArmor profiles.



   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Modified /etc/apparmor.d/abstractions/smbpass

But I don't know if this is Ok for everyone (or even for me). I just took a lucky guess.

This is the file now:

# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2009 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  # libpam-smbpass/pam_smbpass.so permissions
#  /var/lib/samba/*.[lt]db rwk,
   /var/lib/samba/*.tdb rwk,


   * What was the outcome of this action?

No errors.

# systemctl status apparmor.service
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Tue 2020-05-05 13:30:58 -03; 2s ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
    Process: 9800 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
   Main PID: 9800 (code=exited, status=0/SUCCESS)

systemd[1]: Starting Load AppArmor profiles...
apparmor.systemd[9800]: Restarting AppArmor
apparmor.systemd[9800]: Reloading AppArmor profiles
systemd[1]: Finished Load AppArmor profiles.

I don't post this as a patch, because I'm not sure if it is. But this is how I managed to get apparmor running. Probably there's something more correct to do in this case.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8), LANGUAGE=es_AR:es (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  libc6                  2.30-4
ii  lsb-base               11.1.0
ii  python3                3.8.2-3

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles-extra  <none>
pn  apparmor-utils           <none>

-- Configuration Files:
/etc/apparmor.d/abstractions/smbpass changed:
  # libpam-smbpass/pam_smbpass.so permissions
   /var/lib/samba/*.tdb rwk,


-- debconf information excluded
Reply | Threaded
Open this post in threaded view
|

Bug#959811: [pkg-apparmor] Bug#959811: apparmor: Failed to start Load AppArmor profiles

intrigeri-4
Control: tag -1 + moreinfo

Hi marco,

Marco (2020-05-05):

> I was getting an error message when starting apparmor:
>
> # systemctl status apparmor.service
>
> ● apparmor.service - Load AppArmor profiles
>      Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
>      Active: failed (Result: exit-code) since Tue 2020-05-05 13:02:26 -03; 2min 3s ago
>        Docs: man:apparmor(7)
>              https://gitlab.com/apparmor/apparmor/wikis/home/
>    Main PID: 6936 (code=exited, status=1/FAILURE)
>
> systemd[1]: Starting Load AppArmor profiles...
> apparmor.systemd[6936]: Restarting AppArmor
> apparmor.systemd[6936]: Reloading AppArmor profiles
> apparmor.systemd[6955]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/abstractions/authentication at line 49: Could not open 'abstractions/smbpass'
> apparmor.systemd[7039]: AppArmor parser error for /etc/apparmor.d/usr.sbin.cupsd in /etc/apparmor.d/abstractions/authentication at line 49: Could not open 'abstractions/sm>
> apparmor.systemd[6936]: Error: At least one profile failed to load
> systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
> systemd[1]: apparmor.service: Failed with result 'exit-code'.
> systemd[1]: Failed to start Load AppArmor profiles.

Thank you for reporting this. I cannot reproduce this problem here, so
I'll need some more information from you.

Could you please try to load a profile that uses
abstractions/authentication, for example this one (included in the
cups-daemon package):

  sudo apparmor_parser --verbose -r /etc/apparmor.d/usr.sbin.cupsd

This should be sufficient to trigger the bug and should display
more information about the problem.

Also, I suspect the problem comes from a conflict between
the default abstractions/smbpass rules, and another rule coming from
somewhere else, such as a local addition. So:

 - Did you add/modify any file in /etc/apparmor.d/tunables/*.d?

 - What's the output of this command:

     sudo rgrep samba /etc/apparmor.d/local/

Cheers!