Arch Linux

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

[SOLVED] apparmour not starting systemd

Running systemd, not grub.
Installed apparmor
ran sudo systemctl start apparmor.service
added "apparmor=1 security=apparmor" to /boot/loader/loader.conf
rebooted
and get

sudo aa-status
[sudo] password for john:
apparmor module is loaded.
apparmor filesystem is not mounted.
[john@Baby ~]$ sudo systemctl status apparmor
○ apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: disabled)
Active: inactive (dead)
Condition: start condition unmet at Thu 2025-06-19 17:23:10 CDT; 1h 11min ago
└─ ConditionSecurity=apparmor was not met

Any help is appreciated.

Last edited by xlbooyahlx (2025-06-24 02:04:32)

cloverskull

Member

Registered: 2018-09-30

Posts: 243

Re: [SOLVED] apparmour not starting systemd

Can you post your entire loader config with the kernel command line you're referencing?

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 690

Re: [SOLVED] apparmour not starting systemd

added "apparmor=1 security=apparmor" to /boot/loader/loader.conf

Those are not the correct kernel parameters ("security=" has been deprecated for many years now and "apparmor=1" is not needed because it's enabled by default), and that is not the correct file.
Use "lsm=" like it's instructed in https://wiki.archlinux.org/title/AppArmor#Installation and add it to /boot/loader/entries/insert_file_name_here.conf like it says in https://wiki.archlinux.org/title/Kernel … stemd-boot.

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

added "apparmor=1 security=apparmor" to /boot/loader/loader.conf

Those are not the correct kernel parameters ("security=" has been deprecated for many years now and "apparmor=1" is not needed because it's enabled by default), and that is not the correct file.
Use "lsm=" like it's instructed in https://wiki.archlinux.org/title/AppArmor#Installation and add it to /boot/loader/entries/insert_file_name_here.conf like it says in https://wiki.archlinux.org/title/Kernel … stemd-boot.

That's what I did at first with no joy, so I went looking for other alternatives.

I just went back to /boot/loader/entries/arch.conf
and added "lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
as per the wiki
the arch.conf was blank before adding that line the first time i edited it, and the only line in the file is as above.

to which I still get:

○ apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: disabled)
     Active: inactive (dead)
  Condition: start condition unmet at Fri 2025-06-20 08:30:41 CDT; 29s ago
             └─ ConditionSecurity=apparmor was not met
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/

I tired it with, and without the quotes and get the same result.
any other ideas? and ty for the response

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

Can you post your entire loader config with the kernel command line you're referencing?

/boot/loader/entries/arch.conf

"lsm=landlock,lockdown,yama,integrity,apparmor,bpf"

in it's current state, and that's the only line in it, as i was blank before editing.
ty

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 690

Re: [SOLVED] apparmour not starting systemd

That's not the correct syntax for systemd-boot's boot entry file.

If /boot/loader/entries/ was empty, are you using unified kernel images then? How are your current kernel parameters being set and how did you set up your boot loader?

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

That's not the correct syntax for systemd-boot's boot entry file.

If /boot/loader/entries/ was empty, are you using unified kernel images then? How are your current kernel parameters being set and how did you set up your boot loader?

cat /proc/cmdline

initrd=\initramfs-linux.img root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw rootfstype=ext4

sudo efibootmgr -v

BootCurrent: 0007
Timeout: 1 seconds
BootOrder: 0007,0003,0004
Boot0003* UEFI: PXE IP4 Intel(R) Ethernet Connection (6) I219-V	PciRoot(0x0)/Pci(0x1f,0x6)/MAC(54b20391303b,0)/IPv4(0.0.0.0,0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0)0000424f
      dp: 02 01 0c 00 d0 41 03 0a 00 00 00 00 / 01 01 06 00 06 1f / 03 0b 25 00 54 b2 03 91 30 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 03 0c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f
Boot0004* UEFI: PXE IP6 Intel(R) Ethernet Connection (6) I219-V	PciRoot(0x0)/Pci(0x1f,0x6)/MAC(54b20391303b,0)/IPv6([::],0,Static,[::],[::],64)0000424f
      dp: 02 01 0c 00 d0 41 03 0a 00 00 00 00 / 01 01 06 00 06 1f / 03 0b 25 00 54 b2 03 91 30 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 03 0d 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f
Boot0007* UEFI OS	HD(1,GPT,1cfac0af-0748-4332-84fe-2023f8b52a5a,0x800,0x200000)/\EFI\BOOT\BOOTX64.EFI0000424f
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 00 20 00 00 00 00 00 af c0 fa 1c 48 07 32 43 84 fe 20 23 f8 b5 2a 5a 02 02 / 04 04 30 00 5c 00 45 00 46 00 49 00 5c 00 42 00 4f 00 4f 00 54 00 5c 00 42 00 4f 00 4f 00 54 00 58 00 36 00 34 00 2e 00 45 00 46 00 49 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f

all set by choosing "use a best effort default partition" during archinstall

Last edited by xlbooyahlx (2025-06-20 22:04:28)

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

That's not the correct syntax for systemd-boot's boot entry file.

If /boot/loader/entries/ was empty, are you using unified kernel images then? How are your current kernel parameters being set and how did you set up your boot loader?

cat /proc/cmdline

initrd=\initramfs-linux.img root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw rootfstype=ext4

sudo efibootmgr -v

BootCurrent: 0007
Timeout: 1 seconds
BootOrder: 0007,0003,0004
Boot0003* UEFI: PXE IP4 Intel(R) Ethernet Connection (6) I219-V	PciRoot(0x0)/Pci(0x1f,0x6)/MAC(54b20391303b,0)/IPv4(0.0.0.0,0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0)0000424f
      dp: 02 01 0c 00 d0 41 03 0a 00 00 00 00 / 01 01 06 00 06 1f / 03 0b 25 00 54 b2 03 91 30 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 03 0c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f
Boot0004* UEFI: PXE IP6 Intel(R) Ethernet Connection (6) I219-V	PciRoot(0x0)/Pci(0x1f,0x6)/MAC(54b20391303b,0)/IPv6([::],0,Static,[::],[::],64)0000424f
      dp: 02 01 0c 00 d0 41 03 0a 00 00 00 00 / 01 01 06 00 06 1f / 03 0b 25 00 54 b2 03 91 30 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 03 0d 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f
Boot0007* UEFI OS	HD(1,GPT,1cfac0af-0748-4332-84fe-2023f8b52a5a,0x800,0x200000)/\EFI\BOOT\BOOTX64.EFI0000424f
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 00 20 00 00 00 00 00 af c0 fa 1c 48 07 32 43 84 fe 20 23 f8 b5 2a 5a 02 02 / 04 04 30 00 5c 00 45 00 46 00 49 00 5c 00 42 00 4f 00 4f 00 54 00 5c 00 42 00 4f 00 4f 00 54 00 58 00 36 00 34 00 2e 00 45 00 46 00 49 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f

all set by choosing "use a best effort default partition" during archinstall

Last edited by xlbooyahlx (2025-06-20 14:54:13)

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 690

Re: [SOLVED] apparmour not starting systemd

Post the output of

# bootctl list

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

Post the output of

# bootctl list

         type: Boot Loader Specification Type #1 (.conf)
        title: Arch Linux (linux) (default) (selec
ted)
           id: 2025-06-15_23-35-35_linux.conf
       source: /boot//loader/entries/2025-06-15_23-35-35_linux.conf 
(on the EFI System Partition)
        linux: /boot//vmlinuz-linux
       initrd: /boot//initramfs-linux.img
      options: root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=
0 rw rootfstype=ext4

         type: Boot Loader Specification Type #1 (.conf)
        title: Arch Linux (linux-fallback)
           id: 2025-06-15_23-35-35_linux-fallback.conf
       source: /boot//loader/entries/2025-06-15_23-35-35_linux-f
allback.conf (on the EFI System Partition)
        linux: /boot//vmlinuz-linux
       initrd: /boot//initramfs-linux-fallback.img
      options: root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=
0 rw rootfstype=ext4
         type: Automatic
        title: Reboot Into Firmware Interface
           id: auto-reboot-to-firmware-setup
       source: /sys/firmware/efi/efivars/LoaderEntries-4a67b082-0a4c-41cf-b6c7-4
40b29bb8c4f (on the EFI System Partition)

Last edited by xlbooyahlx (2025-06-21 04:51:39)

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

Post the output of

# bootctl list

         type: Boot Loader Specification Type #1 (.conf)
        title: Arch Linux (linux) (default) (selec
ted)
           id: 2025-06-15_23-35-35_linux.conf
       source: /boot//loader/entries/2025-06-15_23-35-35_linux.conf 
(on the EFI System Partition)
        linux: /boot//vmlinuz-linux
       initrd: /boot//initramfs-linux.img
      options: root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=
0 rw rootfstype=ext4

         type: Boot Loader Specification Type #1 (.conf)
        title: Arch Linux (linux-fallback)
           id: 2025-06-15_23-35-35_linux-fallback.conf
       source: /boot//loader/entries/2025-06-15_23-35-35_linux-f
allback.conf (on the EFI System Partition)
        linux: /boot//vmlinuz-linux
       initrd: /boot//initramfs-linux-fallback.img
      options: root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=
0 rw rootfstype=ext4
         type: Automatic
        title: Reboot Into Firmware Interface
           id: auto-reboot-to-firmware-setup
       source: /sys/firmware/efi/efivars/LoaderEntries-4a67b082-0a4c-41cf-b6c7-4
40b29bb8c4f (on the EFI System Partition)

I thoght your question gave me an "Ah ha" moment, so
sudo pacman -S apparmor
sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service
I then added lsm=landlock,lockdown,yama,integrity,apparmor,bpf to the end of /boot//loader/entries/2025-06-15_23-35-35_linux.conf, rebooted and when i logged in my screen flashed a few times and then black screen with just a cursor, so i timeshifted back to previous state.
I guess the "Ah Ha" moment wasn't right

Last edited by xlbooyahlx (2025-06-21 05:23:40)

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

ok my brain is mush.

I attempted all over again

sudo pacman -S apparmor

edited my /boot//loader/entries/2025-06-15_23-35-35_linux.conf file to read as follows

# Created by: archinstall
# Created on: 2025-06-15_23-35-35
title   Arch Linux (linux)
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw rootfstype=ext4 lsm=landlock,lockdown,yama,integrity,apparmor,bpf 

Before editing it read:

# Created by: archinstall
# Created on: 2025-06-15_23-35-35
title   Arch Linux (linux)
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw rootfstype=ext4

sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service
rebooted
ran
sudo systemctl enable apparmor.service
sudo systemctl start apparmor.service

then ran
sudo aa-enabled
which came back as yes
then ran
sudo apparmor_status
which came back with quite a few lines that showed it was running
I rebooted again
after rebooting and login the screen flahed a few times and went black with just a cursor showing again, so I timeshifted back once again.

I need to get some sleep, and will check back with the expert when I wake.
Ty again for your help @nl6720

Last edited by xlbooyahlx (2025-06-21 16:18:27)

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

ok, I tired moving it to the front of the line which now reads:

# Created by: archinstall
# Created on: 2025-06-15_23-35-35
title   Arch Linux (linux)
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw lsm=landlock lockdown yama integrity apparmor bpf rootfstype=ext4

ran ststemctl enable and start rebooted and checked status

[john@Baby-iMac ~]$ sudo aa-status
[sudo] password for john: 
apparmor module is loaded.
apparmor filesystem is not mounted.
[john@Baby-iMac ~]$ cat /proc/cmdline
initrd=\initramfs-linux.img root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw lsm=landlock lockdown yama integrity apparmor bpf rootfstype=ext4
[john@Baby-iMac ~]$ sudo systemctl status apparmor
○ apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: disabled)
     Active: inactive (dead)
  Condition: start condition unmet at Sat 2025-06-21 12:21:42 CDT; 4min 27s ago
             └─ ConditionSecurity=apparmor was not met
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
[john@Baby-iMac ~]$ 

so it's not running but it's booting to desktop, but I'm right back to square one
any help?

Last edited by xlbooyahlx (2025-06-21 20:08:18)

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 690

Re: [SOLVED] apparmour not starting systemd

# Created by: archinstall
# Created on: 2025-06-15_23-35-35
title   Arch Linux (linux)
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw rootfstype=ext4 lsm=landlock,lockdown,yama,integrity,apparmor,bpf 

This looks correct.

# Created by: archinstall
# Created on: 2025-06-15_23-35-35
title   Arch Linux (linux)
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw lsm=landlock lockdown yama integrity apparmor bpf rootfstype=ext4

This is incorrect. The lsm= parameter value must be separated by commas .

after rebooting and login the screen flahed a few times and went black with just a cursor showing again, so I timeshifted back once again.

When that happens switch to different virtual terminal, e.g. VT6 (tty6) using Alt+F6. Log in and check the journal for audit events involving AppArmor:

# journalctl -k --grep=apparmor

If you see lines with "DENIED", then AppArmor has blocked something. This may give a clue on how to proceed further.

Last edited by nl6720 (2025-06-22 12:02:48)

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

# Created by: archinstall
# Created on: 2025-06-15_23-35-35
title   Arch Linux (linux)
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw rootfstype=ext4 lsm=landlock,lockdown,yama,integrity,apparmor,bpf 

This looks correct.

# Created by: archinstall
# Created on: 2025-06-15_23-35-35
title   Arch Linux (linux)
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=PARTUUID=cd75d4d5-54f2-49d7-a75a-ea8673e5ad05 zswap.enabled=0 rw lsm=landlock lockdown yama integrity apparmor bpf rootfstype=ext4

This is incorrect. The lsm= parameter value must be separated by commas .

after rebooting and login the screen flahed a few times and went black with just a cursor showing again, so I timeshifted back once again.

When that happens switch to different virtual terminal, e.g. VT6 (tty6) using Alt+F6. Log in and check the journal for audit events involving AppArmor:

# journalctl -k --grep=apparmor

If you see lines with "DENIED", then AppArmor has blocked something. This may give a clue on how to proceed further.

Sorry for the pics, I couldn't paste it into a file on the virtual terminal, howver it let me take a screen shot.
first screenshot
second screenshot

Last edited by xlbooyahlx (2025-06-22 14:00:41)

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

After seeing the error I put plasma shell in complain mode so at least it's booting now with apparmor running

[john@Baby-iMac ~]$ sudo aa-status
[sudo] password for john: 
apparmor module is loaded.
161 profiles are loaded.
77 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   dovecot
   dovecot-anvil
   dovecot-auth
   dovecot-config
   dovecot-deliver
   dovecot-dict
   dovecot-director
   dovecot-doveadm-server
   dovecot-dovecot-auth
   dovecot-dovecot-lda
   dovecot-dovecot-lda//sendmail
   dovecot-imap
   dovecot-imap-login
   dovecot-lmtp
   dovecot-log
   dovecot-managesieve
   dovecot-managesieve-login
   dovecot-pop3
   dovecot-pop3-login
   dovecot-replicator
   dovecot-script-login
   dovecot-ssl-params
   dovecot-stats
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   php-fpm
   ping
   plasmashell//QtWebEngineProcess
   samba-bgqd
   samba-dcerpcd
   samba-rpcd
   samba-rpcd-classic
   samba-rpcd-spoolss
   sbuild
   sbuild-abort
   sbuild-adduser
   sbuild-apt
   sbuild-checkpackages
   sbuild-clean
   sbuild-createchroot
   sbuild-destroychroot
   sbuild-distupgrade
   sbuild-hold
   sbuild-shell
   sbuild-unhold
   sbuild-update
   sbuild-upgrade
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
   unix-chkpwd
   unprivileged_userns
   winbindd
   zgrep
   zgrep//helper
   zgrep//sed
6 profiles are in complain mode.
   Xorg
   plasmashell
   transmission-cli
   transmission-daemon
   transmission-gtk
   transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
78 profiles are in unconfined mode.
   1password
   Discord
   MongoDB Compass
   QtWebEngineProcess
   balena-etcher
   brave
   buildah
   busybox
   cam
   ch-checkns
   ch-run
   chrome
   chromium
   crun
   devhelp
   element-desktop
   epiphany
   evolution
   firefox
   flatpak
   foliate
   geary
   github-desktop
   goldendict
   ipa_verify
   kchmviewer
   keybase
   lc-compliance
   libcamerify
   linux-sandbox
   loupe
   lxc-attach
   lxc-create
   lxc-destroy
   lxc-execute
   lxc-stop
   lxc-unshare
   lxc-usernsexec
   mmdebstrap
   msedge
   nautilus
   notepadqq
   obsidian
   opam
   opera
   pageedit
   podman
   polypane
   privacybrowser
   qcam
   qmapshack
   qutebrowser
   rootlesskit
   rpm
   rssguard
   runc
   scide
   signal-desktop
   slack
   slirp4netns
   steam
   stress-ng
   surfshark
   systemd-coredump
   thunderbird
   toybox
   trinity
   tup
   tuxedo-control-center
   userbindmount
   uwsgi-core
   vdens
   virtiofsd
   vivaldi-bin
   vpnns
   vscode
   wike
   wpcom
5 processes have profiles defined.
0 processes are in enforce mode.
5 processes are in complain mode.
   /usr/bin/plasmashell (1460) plasmashell
   /usr/lib/qt6/QtWebEngineProcess (2113) plasmashell
   /usr/lib/qt6/QtWebEngineProcess (2114) plasmashell
   /usr/lib/qt6/QtWebEngineProcess (2116) plasmashell
   /usr/lib/qt6/QtWebEngineProcess (2178) plasmashell
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
[john@Baby-iMac ~]$ 

Is this safe to run apparmor with the entire plasmashell in complain mode, and is it normal to have 78 profiles are in unconfined mode?

Last edited by xlbooyahlx (2025-06-22 14:19:39)

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 690

Re: [SOLVED] apparmour not starting systemd

I also have 78 profiles in unconfined mode, so I guess it's normal. Unlike you, I don't have such an issue with plasmashell.

Looking at /etc/apparmor.d/plasmashell, it doesn't account for Arch's /usr/lib/qt6/QtWebEngineProcess path.
Try creating /etc/apparmor.d/local/plasmashell with the following contents:

/usr/lib/qt6/QtWebEngineProcess                             cx -> &plasmashell//QtWebEngineProcess,

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

I also have 78 profiles in unconfined mode, so I guess it's normal. Unlike you, I don't have such an issue with plasmashell.

Looking at /etc/apparmor.d/plasmashell, it doesn't account for Arch's /usr/lib/qt6/QtWebEngineProcess path.
Try creating /etc/apparmor.d/local/plasmashell with the following contents:

/usr/lib/qt6/QtWebEngineProcess                             cx -> &plasmashell//QtWebEngineProcess,

Did this
Try creating /etc/apparmor.d/local/plasmashell with the following contents:
and this
/usr/lib/qt6/QtWebEngineProcess 
but you lost me here:
  cx -> &plasmashell//QtWebEngineProcess,

ty again

Last edited by xlbooyahlx (2025-06-22 22:00:52)

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

I also have 78 profiles in unconfined mode, so I guess it's normal. Unlike you, I don't have such an issue with plasmashell.

Looking at /etc/apparmor.d/plasmashell, it doesn't account for Arch's /usr/lib/qt6/QtWebEngineProcess path.
Try creating /etc/apparmor.d/local/plasmashell with the following contents:

/usr/lib/qt6/QtWebEngineProcess                             cx -> &plasmashell//QtWebEngineProcess,

What fixed it was putting plasmashell back in enforce, editing the/etc/apparmor.d/plasmashell file.
I took out the # in front of the line:

#  allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues)
  /usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
  /usr/libexec/qt[56]/QtWebEngineProcess                      cx -> &plasmashell//QtWebEngineProcess,
  /usr/lib/qt6/libexec/QtWebEngineProcess                     cx -> &plasmashell//QtWebEngineProcess,

Everything working great now

Last edited by xlbooyahlx (2025-06-23 22:13:23)

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 690

Re: [SOLVED] apparmour not starting systemd

Changes made to /etc/apparmor.d/plasmashell will be lost when the apparmor package gets an update. That's why I suggested changing /etc/apparmor.d/local/plasmashell instead.

What fixed it was putting plasmashell back in enforce, editing the/etc/apparmor.d/plasmashell file.
I took out the # in front of the line:

That line with a # in front of it is a comment. It makes no sense to uncomment it.
Please post your current working /etc/apparmor.d/plasmashell file.

If your issue is just with /usr/lib/qt6/QtWebEngineProcess as your screenshots showed, then creating /etc/apparmor.d/local/plasmashell with the single line I suggested should fix it.

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

Changes made to /etc/apparmor.d/plasmashell will be lost when the apparmor package gets an update. That's why I suggested changing /etc/apparmor.d/local/plasmashell instead.

What fixed it was putting plasmashell back in enforce, editing the/etc/apparmor.d/plasmashell file.
I took out the # in front of the line:

That line with a # in front of it is a comment. It makes no sense to uncomment it.
Please post your current working /etc/apparmor.d/plasmashell file.

If your issue is just with /usr/lib/qt6/QtWebEngineProcess as your screenshots showed, then creating /etc/apparmor.d/local/plasmashell with the single line I suggested should fix it.

ok I finally figured out what you meant when you said "Try creating /etc/apparmor.d/local/plasmashell with the following contents:".

/usr/lib/qt6/QtWebEngineProcess                             cx -> &plasmashell//QtWebEngineProcess,

I wouldn't have chosen to use those words to convey what you meant, but I figured it out. Thanks again

sudo touch /etc/apparmor.d/local/plasmashell
sudo nano /etc/apparmor.d/local/plasmashell

added the following lines:
/usr/lib/qt6/QtWebEngineProcess
cx -> &plasmashell//QtWebEngineProcess,

After doing that I get:

[john@Baby-iMac ~]$ sudo aa-status
[sudo] password for john: 
apparmor module is loaded.
161 profiles are loaded.
78 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   dovecot
   dovecot-anvil
   dovecot-auth
   dovecot-config
   dovecot-deliver
   dovecot-dict
   dovecot-director
   dovecot-doveadm-server
   dovecot-dovecot-auth
   dovecot-dovecot-lda
   dovecot-dovecot-lda//sendmail
   dovecot-imap
   dovecot-imap-login
   dovecot-lmtp
   dovecot-log
   dovecot-managesieve
   dovecot-managesieve-login
   dovecot-pop3
   dovecot-pop3-login
   dovecot-replicator
   dovecot-script-login
   dovecot-ssl-params
   dovecot-stats
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   php-fpm
   ping
   plasmashell
   plasmashell//QtWebEngineProcess
   samba-bgqd
   samba-dcerpcd
   samba-rpcd
   samba-rpcd-classic
   samba-rpcd-spoolss
   sbuild
   sbuild-abort
   sbuild-adduser
   sbuild-apt
   sbuild-checkpackages
   sbuild-clean
   sbuild-createchroot
   sbuild-destroychroot
   sbuild-distupgrade
   sbuild-hold
   sbuild-shell
   sbuild-unhold
   sbuild-update
   sbuild-upgrade
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
   unix-chkpwd
   unprivileged_userns
   winbindd
   zgrep
   zgrep//helper
   zgrep//sed
5 profiles are in complain mode.
   Xorg
   transmission-cli
   transmission-daemon
   transmission-gtk
   transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
78 profiles are in unconfined mode.
   1password
   Discord
   MongoDB Compass
   QtWebEngineProcess
   balena-etcher
   brave
   buildah
   busybox
   cam
   ch-checkns
   ch-run
   chrome
   chromium
   crun
   devhelp
   element-desktop
   epiphany
   evolution
   firefox
   flatpak
   foliate
   geary
   github-desktop
   goldendict
   ipa_verify
   kchmviewer
   keybase
   lc-compliance
   libcamerify
   linux-sandbox
   loupe
   lxc-attach
   lxc-create
   lxc-destroy
   lxc-execute
   lxc-stop
   lxc-unshare
   lxc-usernsexec
   mmdebstrap
   msedge
   nautilus
   notepadqq
   obsidian
   opam
   opera
   pageedit
   podman
   polypane
   privacybrowser
   qcam
   qmapshack
   qutebrowser
   rootlesskit
   rpm
   rssguard
   runc
   scide
   signal-desktop
   slack
   slirp4netns
   steam
   stress-ng
   surfshark
   systemd-coredump
   thunderbird
   toybox
   trinity
   tup
   tuxedo-control-center
   userbindmount
   uwsgi-core
   vdens
   virtiofsd
   vivaldi-bin
   vpnns
   vscode
   wike
   wpcom
5 processes have profiles defined.
5 processes are in enforce mode.
   /usr/bin/plasmashell (1468) plasmashell
   /usr/lib/qt6/QtWebEngineProcess (2118) plasmashell//&plasmashell//QtWebEngineProcess
   /usr/lib/qt6/QtWebEngineProcess (2119) plasmashell//&plasmashell//QtWebEngineProcess
   /usr/lib/qt6/QtWebEngineProcess (2121) plasmashell//&plasmashell//QtWebEngineProcess
   /usr/lib/qt6/QtWebEngineProcess (2187) plasmashell//&plasmashell//QtWebEngineProcess
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
[john@Baby-iMac ~]$ 

Thank you for your help and patience

Last edited by xlbooyahlx (2025-06-24 14:56:19)

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 690

Re: [SOLVED] apparmour not starting systemd

Sorry for not wording it clear enough.
I submitted a merge request to include Arch's QtWebEngineProcess path. If upstream will merge it, then this issue will be solved once a new AppArmor release is out.

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

Sorry for not wording it clear enough.
I submitted a merge request to include Arch's QtWebEngineProcess path. If upstream will merge it, then this issue will be solved once a new AppArmor release is out.

Thank You Brother!

xlbooyahlx

Member

Registered: 2025-01-02

Posts: 21

Website

Re: [SOLVED] apparmour not starting systemd

Sorry for not wording it clear enough.
I submitted a merge request to include Arch's QtWebEngineProcess path. If upstream will merge it, then this issue will be solved once a new AppArmor release is out.

If they fix it will I need to undo what I did, or will it still be ok?

nl6720

The Evil Wiki Admin

Registered: 2016-07-02

Posts: 690

Re: [SOLVED] apparmour not starting systemd

There won't be any harm in keeping your changes until the plasmashell profile diverges enough to cause issues (e.g. if they ever remove the QtWebEngineProcess sub-profile in the future).