You are not logged in.
- Topics: Active | Unanswered
#1 2025-02-23 17:05:53
- HossamMaghrabi
- Member
- Registered: 2024-04-26
- Posts: 13
Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
Hi There,
I am trying to enable Apparmor Mandatory Access Control (MAC) system that implemented upon the Linux Security Modules (LSM).
I follow the links to set the LSM Kernel Parameter and enable Kernel Lockdown, So I updated the /boot/grub/grub.cfg file with the following command,
set lsm=landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf
set lockdown=integrity
and the command appear in boot screen but the /sys/kernel/security/lsm file not updated and the parameter not setting....
These are the links I used https://wiki.archlinux.org/title/AppArmor#Installation
https://wiki.archlinux.org/title/Kernel_parameters#GRUB
https://wiki.archlinux.org/title/Securi … kdown_mode
Also I used this link to get the order of ( lsm= ) parametes as referred in the wiki guide. https://git.kernel.org/pub/scm/linux/ke … ty/Kconfig
Your support is highly appreciated
Last edited by HossamMaghrabi (2025-02-27 17:03:11)
Offline
#2 2025-02-23 18:46:39
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 24,120
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
That's not how you set kernel parameters. If you're going to manually edit the grub.cfg just add them to the initramfs lines contaning the root and rw lines
Offline
#3 2025-02-23 19:02:17
- HossamMaghrabi
- Member
- Registered: 2024-04-26
- Posts: 13
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
Ok. Could you please explain how can set kernel parameters or refer to the link that explain it?
Offline
#4 2025-02-23 19:07:22
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 24,120
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
You sent the link I'd give yourself, other than that if you edit grub cfg directly look at which line starts with linux vmlinuz-linux and add your params there. I don't have a linux here so I can't really give you a literal example but reading the cfg attentively should give you the line where this happens
Offline
#5 2025-02-23 19:12:09
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 20,356
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
HossamMaghrabi, If you were wondering where your posts went, I think you hit 'report' and not 'reply'. It happens.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#6 2025-02-23 19:33:20
- HossamMaghrabi
- Member
- Registered: 2024-04-26
- Posts: 13
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
@ewaller,
Many thanks for correct me. I will take care next time..
Offline
#7 2025-02-23 19:34:41
- HossamMaghrabi
- Member
- Registered: 2024-04-26
- Posts: 13
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
@V1del
I did that before I submit the problem on the forums " I put the line of LSM= in the (linux vmlinuz-linux) line" but the system fail when I reboot so I delete it.
Offline
#8 2025-02-25 00:19:36
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 24,120
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
That is the correct way to set them, but setting these values to the wrong thing will expectedly and intentionally lock you out of your system.
Why are you trying random lsm values instead of the one documented in the Apparmor page: lsm=landlock,lockdown,yama,integrity,apparmor,bpf https://wiki.archlinux.org/title/AppArmor#Installation
Offline
#9 2025-02-25 04:55:05
- HossamMaghrabi
- Member
- Registered: 2024-04-26
- Posts: 13
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
@V1del,
First,
As I mentioned above, I use the way you explain like below.
1- I updated the GRUB_CMDLINE_LINUX_DEFAULT parameter in ( /etc/default/grub ) file as below:
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet lsm=landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf"
then run ( grub-mkconfig -o /boot/grub/grub.cfg ) command, which updated the ( /boot/grub/grub.cfg ) file with this update, but when I rebooted my system, it failed to boot.
Second,
I didn't try random LSM values. I got it from the link mentioned in the document on the Apparmor page through this phrase (Examples of valid values and their order can be found in security/Kconfig). You can check it by clicking on the security/Kconfig link.
Your support is highly appreciated...
Offline
#10 2025-02-25 17:32:53
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 24,120
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
Just try to use the line I mentioned and that's part of the codeblock from the wiki article. Also what exactly fails, do you get an error message, do you not get a GUI, can you boot to a TTY? (add systemd.unit=multi-user.target to the list of kernel parameters to force boot into a TTY) If you can boot to a TTY, post
sudo journalctl -b | curl -F 'file=@-' 0x0.stif you can't, reboot after having removed the params and post
sudo journalctl -b-1 | curl -F 'file=@-' 0x0.stOffline
#11 2025-02-27 16:55:41
- HossamMaghrabi
- Member
- Registered: 2024-04-26
- Posts: 13
Re: Faild to enabled Apparmor. I couldn't set LSM kernel paramete[SOLVED]
@V1del,
Many Thanks..
It's working now..
I just changed the value of GRUB_CMDLINE_LINUX_DEFAULT parameter,
From : GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet lsm=landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf"
To : GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
using, ( lsm=landlock,lockdown,yama,integrity,apparmor,bpf ) value as you suggested..
Thanks again...
Offline