[Bug 239147] New: apparmor does not work with 2.6.20 openSUSE 10.3 kernel
https://bugzilla.novell.com/show_bug.cgi?id=239147 Summary: apparmor does not work with 2.6.20 openSUSE 10.3 kernel Product: openSUSE 10.3 Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: AutoYaST AssignedTo: ug@novell.com ReportedBy: aj@novell.com QAContact: qa@suse.de rcapparmor start gives: FATAL: Error inserting apparmor (/lib/modules/2.6.20-rc5-2-default/kernel/security/apparmor/apparmor.ko): Device or resource busy Loading AppArmor module failed - could not start AppArmor I see nothing in dmesg regarding this :-( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 ug@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|ug@novell.com |dreynolds@novell.com Component|AutoYaST |AppArmor QAContact|qa@suse.de |dreynolds@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 dreynolds@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|dreynolds@novell.com |jjohansen@novell.com ------- Comment #1 from dreynolds@novell.com 2007-01-26 15:31 MST ------- jj. are there known issues with our module in stable and 2.6.20? Is there another lsm module already loaded? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 dreynolds@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 gp@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gp@novell.com ------- Comment #2 from gp@novell.com 2007-01-26 19:22 MST ------- I've been seeing this as well, both when using our 2.6.20-based HEAD kernel on openSUSE 10.2 and when installing STABLE today. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 ------- Comment #3 from jjohansen@novell.com 2007-01-29 13:31 MST ------- When the kernel was migrated to 2.6.20, OLH had to modify apparmor so it would compile. At the same time the module_init function was modified to return -EBUSY to keep apparmor from loading until the changes were reviewed. Unfortunately I missed the -EBUSY return when synching the apparmor module so it stayed :( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 ------- Comment #4 from aj@novell.com 2007-01-30 01:52 MST ------- John, please fix this in our kernel repository! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 sboyce@blueyonder.co.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sboyce@blueyonder.co.uk ------- Comment #5 from sboyce@blueyonder.co.uk 2007-01-31 05:55 MST ------- Also a good idea to update the download version so it will work with non-openSUSE kernels, it's been stagnant for ages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 ------- Comment #6 from sboyce@blueyonder.co.uk 2007-01-31 05:58 MST ------- Rather, it had been stagnant at 2.6.18 for ages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 jjohansen@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #10 from jjohansen@novell.com 2007-02-05 17:56 MST ------- fixed 10.3 alpha 3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 dreynolds@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |casualprogrammer@yahoo.com ------- Comment #11 from dreynolds@novell.com 2007-02-13 09:45 MST ------- *** Bug 244507 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 bjoern@cs.tu-berlin.de changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bjoern@cs.tu-berlin.de ------- Comment #12 from bjoern@cs.tu-berlin.de 2007-04-08 03:40 MST ------- Please update the download version (http://forge.novell.com/modules/xfcontent/downloads.php/apparmor/) too (see comment #5). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 ------- Comment #13 from jjohansen@novell.com 2007-04-11 04:40 MST ------- (In reply to comment #12)
Please update the download version (http://forge.novell.com/modules/xfcontent/downloads.php/apparmor/) too (see comment #5).
The "Development March 07 - SnapShot" contains the updated code with patches agaist 2.6.16, 2.6.17, 2.6.18, 2.6.19, and 2.6.20 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 ------- Comment #14 from bjoern@cs.tu-berlin.de 2007-04-14 04:21 MST ------- Yes, but unfortunately the patch from "Development March 07 - SnapShot" has problems with kernel 2.6.20.x. My setup: - openSUSE 10.2 - Vanilla kernel 2.6.20.6 - patch 2.6.20.3/apparmor-2.6.20.3-v405-fullseries.diff from "Development March 07 - SnapShot" (apparmor-kernel-patches-2.6.16-to-2.6.20.tar.gz) The patch applies cleanly, but the module apparmor.ko does not load: $ modprobe -v apparmor insmod /lib/modules/2.6.20.6/kernel/security/apparmor/apparmor.ko FATAL: Error inserting apparmor (/lib/modules/2.6.20.6/kernel/security/apparmor/apparmor.ko): Resource temporarily unavailable dmesg says: AppArmor: Unable to load AppArmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 ------- Comment #15 from jjohansen@novell.com 2007-04-16 00:04 MST ------- (In reply to comment #14)
Yes, but unfortunately the patch from "Development March 07 - SnapShot" has problems with kernel 2.6.20.x.
does lsmod report that the capability is loaded? If another LSM module has loaded before apparmor then it will fail to load. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 ------- Comment #16 from sbeattie@novell.com 2007-04-16 12:41 MST ------- Unfortunately, lsmod won't tell you if you built the capability module (or selinux) as a builtin. You'll need to look in your dmesg buffer to see if another security module has aleady registered itself. You'll want to look at messages immediately following the line Security Framework v1.0.0 initialized If capability was built as a builtin, you'd see a message like Capability LSM initialized If it's the case that you built the capability module as a builtin, you can either rebuild your kernel with it configured as a module, or boot with "capability.disable=1" as an argument to the kernel. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=239147 ------- Comment #17 from bjoern@cs.tu-berlin.de 2007-04-18 05:22 MST ------- Thanks for explanation. I had to disable SELinux with "selinux=0" in lilo/grub. Now apparmor loads successful. My "security" kernel configuration: $ grep CONFIG_SECURITY /boot/config-2.6.20.7 CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_CAPABILITIES=m CONFIG_SECURITY_ROOTPLUG=m CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 CONFIG_SECURITY_SELINUX_DISABLE=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 # CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set CONFIG_SECURITY_APPARMOR=m My kernel messages: $ dmesg |grep -A1 "Security Framework" Security Framework v1.0.0 initialized SELinux: Disabled at boot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com