You are not logged in.
- Topics: Active | Unanswered
#1 2020-10-09 23:53:52
- qinohe
- Member
- From: Netherlands
- Registered: 2012-06-20
- Posts: 1,534
[Solved]apparmor fails to start after upd. to 3.0.0-2
#see #3
Hi, Having trouble to figure out why it won't start, couldn't find useful info or profile updates too(Github)
This machine is a few moths old and apparmor has run fine until this upgrade, I also run firejail,which still works fine.
Apparmor setup is pretty basic.
aa-enabled
Yes#aa-status
apparmor module is loaded.
49 profiles are loaded.
49 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-dovecot-auth
dovecot-dovecot-lda
dovecot-dovecot-lda//sendmail
dovecot-imap
dovecot-imap-login
dovecot-lmtp
dovecot-log
dovecot-managesieve
dovecot-managesieve-login
dovecot-pop3
dovecot-pop3-login
dovecot-script-login
dovecot-ssl-params
dovecot-stats
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
php-fpm
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.I have tried zen and default kernel,with these options:
apparmor=1 lsm=lockdown,yama,apparmorTried to re-enforce default profile:
#aa-enforce firejail-default
Setting /etc/apparmor.d/firejail-default to enforce mode.
ERROR: Found reference to variable run, but is never declaredThe status:
systemctl status apparmor.service
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-10-10 01:11:19 CEST; 11s ago
Process: 2233 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 2233 (code=exited, status=1/FAILURE)
Oct 10 01:11:18 asterope systemd[1]: Starting Load AppArmor profiles...
Oct 10 01:11:18 asterope apparmor.systemd[2233]: Restarting AppArmor
Oct 10 01:11:18 asterope apparmor.systemd[2233]: Reloading AppArmor profiles
Oct 10 01:11:18 asterope apparmor.systemd[2243]: Found reference to variable run, but is never declared
Oct 10 01:11:19 asterope apparmor.systemd[2297]: Found reference to variable run, but is never declared
Oct 10 01:11:19 asterope apparmor.systemd[2233]: Error: At least one profile failed to load
Oct 10 01:11:19 asterope systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 10 01:11:19 asterope systemd[1]: apparmor.service: Failed with result 'exit-code'.
Oct 10 01:11:19 asterope systemd[1]: Failed to start Load AppArmor profiles.Also journalctl -xe gives reasonable output, though, I don't know what I should change...:
t 10 01:11:18 asterope apparmor.systemd[2233]: Restarting AppArmor
Oct 10 01:11:18 asterope apparmor.systemd[2233]: Reloading AppArmor profiles
Oct 10 01:11:18 asterope apparmor.systemd[2243]: Found reference to variable run, but is never declared
Oct 10 01:11:18 asterope audit[2239]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-anvil" pid=2239 comm="apparmor_parser"
Oct 10 01:11:18 asterope audit[2241]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="klogd" pid=2241 comm="apparmor_parser"
Oct 10 01:11:18 asterope audit[2245]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-managesieve-login" pid=2245 comm="apparmor_parser"
Oct 10 01:11:18 asterope audit[2237]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="lsb_release" pid=2237 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2251]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-log" pid=2251 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2247]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nvidia_modprobe" pid=2247 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2247]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nvidia_modprobe//kmod" pid=2247 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2244]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="avahi-daemon" pid=2244 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2246]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nscd" pid=2246 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2248]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-lmtp" pid=2248 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2242]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="ntpd" pid=2242 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2250]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-dict" pid=2250 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2240]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="smbd" pid=2240 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2257]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-ssl-params" pid=2257 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2253]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="syslogd" pid=2253 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2254]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-config" pid=2254 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2255]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-deliver" pid=2255 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2262]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-imap-login" pid=2262 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2252]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dnsmasq" pid=2252 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2252]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dnsmasq//libvirt_leaseshelper" pid=2252 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2265]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-stats" pid=2265 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2249]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="smbldap-useradd" pid=2249 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2258]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-pop3" pid=2258 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2249]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="smbldap-useradd///etc/init.d/nscd" pid=2249 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2259]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-imap" pid=2259 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2256]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="syslog-ng" pid=2256 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2260]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="winbindd" pid=2260 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2264]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="traceroute" pid=2264 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2261]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot" pid=2261 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2272]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-pop3-login" pid=2272 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2266]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="php-fpm" pid=2266 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2268]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="ping" pid=2268 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2275]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-managesieve" pid=2275 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2267]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-dovecot-auth" pid=2267 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2270]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="mdnsd" pid=2270 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2269]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-script-login" pid=2269 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2271]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="identd" pid=2271 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2273]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-auth" pid=2273 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2276]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nmbd" pid=2276 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2238]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2" pid=2238 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2238]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=2238 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2238]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT" pid=2238 comm="app>
Oct 10 01:11:19 asterope audit[2238]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo" pid=2238 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2274]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-dovecot-lda" pid=2274 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2274]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="dovecot-dovecot-lda//sendmail" pid=2274 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2263]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="apache2" pid=2263 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2263]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="apache2//DEFAULT_URI" pid=2263 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2263]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="apache2//HANDLING_UNTRUSTED_INPUT" pid=2263 comm="apparmor_parser"
Oct 10 01:11:19 asterope audit[2263]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="apache2//phpsysinfo" pid=2263 comm="apparmor_parser"
Oct 10 01:11:19 asterope apparmor.systemd[2297]: Found reference to variable run, but is never declared
Oct 10 01:11:19 asterope apparmor.systemd[2233]: Error: At least one profile failed to load
Oct 10 01:11:19 asterope systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURELast edited by qinohe (2020-10-10 19:13:56)
Offline
#2 2020-10-10 03:06:07
- glitsj16
- Member
- Registered: 2015-04-26
- Posts: 126
Re: [Solved]apparmor fails to start after upd. to 3.0.0-2
Hi, the apparmor issue with firejail is known upstream. Until a proper fix is available the best thing to do is downgrading apparmor.
Offline
#3 2020-10-10 03:15:04
- qinohe
- Member
- From: Netherlands
- Registered: 2012-06-20
- Posts: 1,534
Re: [Solved]apparmor fails to start after upd. to 3.0.0-2
Thanks glitsj16, I even read through that page,completely missed it...
edit: the downgrade worked btw.;)
edit2: Had a little more time today,added commit https://github.com/netblue30/firejail/c … be091bd009 to '/etc/apparmor.d/firejail-default'
Problem solved 
Last edited by qinohe (2020-10-10 19:14:56)
Offline