[opensuse] Apparmor service doesnt work (since upgrade?) on leap 15.0
Some test machine, I can not exactly tell if apparmor was working on 42.3 where the machine came from, or even earlier 42.2 before that. Default install, guess apparmor comes with that. Kde desktop. Just booted up 15.0 and I observed a red line in the bootup messages speaking about apparmor. Apparmor status says: [sudo] password for root: ● apparmor.service - Load AppArmor profiles Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2018-06-13 10:52:33 CEST; 16min ago Main PID: 470 (code=exited, status=1/FAILURE) Jun 13 10:52:31 linux apparmor.systemd[470]: Found reference to variable pid, but is never declared Jun 13 10:52:31 linux apparmor.systemd[470]: Error: /etc/apparmor.d/usr.lib.dovecot.imap-login failed to load Jun 13 10:52:31 linux apparmor.systemd[470]: Found reference to variable pid, but is never declared Jun 13 10:52:31 linux apparmor.systemd[470]: Error: /etc/apparmor.d/usr.lib.dovecot.lmtp failed to load Jun 13 10:52:31 linux apparmor.systemd[470]: Found reference to variable pid, but is never declared ......... there was just an apparmor update I have noticed in zypper ref zypper up right now, maybe it will fix things, but I dont even know where to start fixing this: I have never taken any steps towards config files or settings of apparmor, so on the user side of this, I have never touched a thing (tm). What is apparmor for normal users about exactly and how would one reset it to default, whyever or whenever those defaults changed to nonworking config, and how would one overcome such situations? Is apparmor even needed for normal users? I guess it it because suse distro decided to install it for me. Any hint? TIA. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 13/06/18 10:14, cagsm wrote:
Some test machine, I can not exactly tell if apparmor was working on 42.3 where the machine came from, or even earlier 42.2 before that.
Default install, guess apparmor comes with that. Kde desktop.
Just booted up 15.0 and I observed a red line in the bootup messages speaking about apparmor.
Apparmor status says:
[sudo] password for root: ● apparmor.service - Load AppArmor profiles Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2018-06-13 10:52:33 CEST; 16min ago Main PID: 470 (code=exited, status=1/FAILURE)
Jun 13 10:52:31 linux apparmor.systemd[470]: Found reference to variable pid, but is never declared Jun 13 10:52:31 linux apparmor.systemd[470]: Error: /etc/apparmor.d/usr.lib.dovecot.imap-login failed to load Jun 13 10:52:31 linux apparmor.systemd[470]: Found reference to variable pid, but is never declared Jun 13 10:52:31 linux apparmor.systemd[470]: Error: /etc/apparmor.d/usr.lib.dovecot.lmtp failed to load Jun 13 10:52:31 linux apparmor.systemd[470]: Found reference to variable pid, but is never declared .........
there was just an apparmor update I have noticed in zypper ref zypper up right now, maybe it will fix things, but I dont even know where to start fixing this: I have never taken any steps towards config files or settings of apparmor, so on the user side of this, I have never touched a thing (tm).
What is apparmor for normal users about exactly and how would one reset it to default, whyever or whenever those defaults changed to nonworking config, and how would one overcome such situations? Is apparmor even needed for normal users? I guess it it because suse distro decided to install it for me.
Any hint? TIA.
One hint, look up apparmor I looked here. https://en.wikipedia.org/wiki/AppArmor Maybe that provides answers to some of your basic questions. I looked it up as I know little or nothing about what its for other than as you say its part of the default install. Moreover as I understand the Wikipedia info it is part of the kernel, so unless you tell the installer not to install it is is installed by default. AFAIK its the same on any distro, Linuxmint includes it I imagine all the other distros do as well. When I have instructed the installer not to install it nothing terrible has happened here but then I just run a single user machine and use it entirely for multimedia and web stuff, including email. Present openSUSE version is 42.3. All of which is not meant to be clever its just that your question piqued my curiosity. M -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-13 11:14, cagsm wrote:
Some test machine, I can not exactly tell if apparmor was working on 42.3 where the machine came from, or even earlier 42.2 before that.
Default install, guess apparmor comes with that. Kde desktop.
AA has been installed since many years, but perhaps not enabled by default. AA basically is a tool to confine attacks to your machine with very small performance penalty. The tools tell the kernel what to allow an application to do. Say a daemon that typically reads things in /etc and writes some status to /var. Suddenly it tries to write to /bin - well, it is forbidden to do it, and you get an alert. It is possible that the daemon is compromised.
there was just an apparmor update I have noticed in zypper ref zypper up right now, maybe it will fix things, but I dont even know where to start fixing this: I have never taken any steps towards config files or settings of apparmor, so on the user side of this, I have never touched a thing (tm).
The first thing is update. If there are errors in apparmour, tell bugzilla.
What is apparmor for normal users about exactly and how would one reset it to default, whyever or whenever those defaults changed to nonworking config, and how would one overcome such situations? Is apparmor even needed for normal users? I guess it it because suse distro decided to install it for me.
Well, I would run "aa-logprof" and carefully apply changes. It is complicated to explain here. Instead, read the documentation: <https://doc.opensuse.org/documentation/leap/security/html/book.security/part.apparmor.html> -- Cheers / Saludos, Carlos E. R. (from openSUSE, Leap 15.0 x86_64 (ssd-test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
cagsm wrote:
Just booted up 15.0 and I observed a red line in the bootup messages speaking about apparmor.
Apparmor status says:
[sudo] password for root: ● apparmor.service - Load AppArmor profiles Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2018-06-13 10:52:33 CEST; 16min ago Main PID: 470 (code=exited, status=1/FAILURE)
Jun 13 10:52:31 linux apparmor.systemd[470]: Found reference to variable pid, but is never declared Jun 13 10:52:31 linux apparmor.systemd[470]: Error: /etc/apparmor.d/usr.lib.dovecot.imap-login failed to load
That is just a single profile that has failed. I have apparmor-profiles-2.12-lp150.5.1.noarch, what's yours?
What is apparmor for normal users about exactly and how would one reset it to default,
reinstall apparmor would do it except for anything you have added locally.
whyever or whenever those defaults changed to nonworking config,
It's only that one profile, not all of apparmor. -- Per Jessen, Zürich (14.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
cagsm -
Carlos E. R. -
michael norman -
Per Jessen