[Bug 1015249] New: libapparmor[1093]: Can't create cache directory '/etc/apparmor.d/cache': File exists
http://bugzilla.opensuse.org/show_bug.cgi?id=1015249 Bug ID: 1015249 Summary: libapparmor[1093]: Can't create cache directory '/etc/apparmor.d/cache': File exists Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: Ulrich.Windl@rz.uni-regensburg.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- During boot the journal is filled with multiple errors like this (in 42.1 this was not present): Dec 13 07:59:22 linux-n9gv libapparmor[1117]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:22 linux-n9gv libapparmor[1121]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:22 linux-n9gv libapparmor[1131]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:23 linux-n9gv libapparmor[1149]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:23 linux-n9gv libapparmor[1154]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:23 linux-n9gv libapparmor[1161]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:23 linux-n9gv libapparmor[1173]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:23 linux-n9gv libapparmor[1180]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:24 linux-n9gv libapparmor[1184]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:24 linux-n9gv libapparmor[1189]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:24 linux-n9gv libapparmor[1200]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:24 linux-n9gv libapparmor[1204]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:24 linux-n9gv libapparmor[1208]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:24 linux-n9gv libapparmor[1218]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:24 linux-n9gv libapparmor[1226]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:24 linux-n9gv libapparmor[1237]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:24 linux-n9gv libapparmor[1253]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:25 linux-n9gv libapparmor[1285]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:25 linux-n9gv libapparmor[1289]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:25 linux-n9gv libapparmor[1320]: Can't create cache directory '/etc/apparmor.d/cache': File exists Dec 13 07:59:25 linux-n9gv libapparmor[1342]: Can't create cache directory '/etc/apparmor.d/cache': File exists I think this kind of problem should NOT be logged. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1015249 http://bugzilla.opensuse.org/show_bug.cgi?id=1015249#c1 --- Comment #1 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> --- And here "cache" is actually a symbolic link: # ll /etc/apparmor.d/cache lrwxrwxrwx 1 root root 19 Nov 18 12:36 cache -> /var/cache/apparmor -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1015249 http://bugzilla.opensuse.org/show_bug.cgi?id=1015249#c2 --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> --- Let me guess - you have /var/ or /var/cache/ as a separate partition, and it gets mounted after starting AppArmor? See bug 980081 for more details. The next AppArmor update for Leap (which I'm preparing right now) will delete the /etc/apparmor.d/cache symlink. It will be recreated as "real" directory so that the cache no longer depends on having /var/ mounted. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1015249 http://bugzilla.opensuse.org/show_bug.cgi?id=1015249#c3 --- Comment #3 from Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> --- (In reply to Christian Boltz from comment #2) /var is from BtrFS (/var/lib/machines is a subvolume mount of the same device). Jan 02 07:53:24 linux-n9gv kernel: AppArmor: AppArmor initialized Jan 02 07:53:45 linux-n9gv systemd[1]: var.mount: Directory /var to mount over is not empty, mounting anyway. So blame systemd for that?
The next AppArmor update for Leap (which I'm preparing right now) will delete the /etc/apparmor.d/cache symlink. It will be recreated as "real" directory so that the cache no longer depends on having /var/ mounted.
Why not fix the mount/execution order? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1015249 http://bugzilla.opensuse.org/show_bug.cgi?id=1015249#c5 --- Comment #5 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Ulrich Windl from comment #3)
/var is from BtrFS (/var/lib/machines is a subvolume mount of the same device). Jan 02 07:53:24 linux-n9gv kernel: AppArmor: AppArmor initialized Jan 02 07:53:45 linux-n9gv systemd[1]: var.mount: Directory /var to mount over is not empty, mounting anyway.
That explains it.
So blame systemd for that?
I have "better" things to blame systemd for ;-) but they are slightly OT here. In this case, AppArmor doesn't specify a dependency on local-fs, so I'm not too surprised about the order.
Why not fix the mount/execution order?
Because AppArmor profiles should be loaded as early as possible. If a process was started before loading its AppArmor profile, it will run unconfined forever - you can't "apply" an AppArmor profile on it. (Well, at least unless you restart it, but that results in a new process.) Note that reloading profiles is different - if a process is already running with AppArmor confinement, the updated profile will be used for it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1015249 http://bugzilla.opensuse.org/show_bug.cgi?id=1015249#c7 --- Comment #7 from Christian Boltz <suse-beta@cboltz.de> --- The factory maintainers didn't really like writing the cache to /etc, and after some discussion I agreed to switch to /var/lib/apparmor/cache instead. /var/lib is part of the root filesystem in the default setup, and I also added After=var-lib.mount to apparmor.service as safety net. If this causes any problems, DimStar officially allowed to blame him ;-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1015249 http://bugzilla.opensuse.org/show_bug.cgi?id=1015249#c8 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> --- Update submitted for Leap 42.1 and 42.2. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com