Apparmor.service fails to load

Hi,

I had an update to the package apparmor earlier today:

2020-10-09T12:31:31+0200] [ALPM] upgraded apparmor (2.13.4-6 -> 3.0.0-2)

Now when I just rebooted the system, I noticed a red failed line in boot messages. Once in the desktop, I get:

systemctl --failed
  UNIT             LOAD   ACTIVE SUB    DESCRIPTION           
● apparmor.service loaded failed failed Load AppArmor profiles
sudo systemctl start apparmor.service

Job for apparmor.service failed because the control process exited with error code.
See “systemctl status apparmor.service” and “journalctl -xe” for details.

systemctl status apparmor.service

● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2020-10-09 17:07:24 CEST; 18min ago
Process: 4399 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
Main PID: 4399 (code=exited, status=1/FAILURE)

Oct 09 17:07:23 eos-cinnamon systemd[1]: Starting Load AppArmor profiles…
Oct 09 17:07:23 eos-cinnamon apparmor.systemd[4399]: Restarting AppArmor
Oct 09 17:07:23 eos-cinnamon apparmor.systemd[4399]: Reloading AppArmor profiles
Oct 09 17:07:23 eos-cinnamon apparmor.systemd[4404]: Found reference to variable run, but is never declared
Oct 09 17:07:24 eos-cinnamon apparmor.systemd[4464]: Found reference to variable run, but is never declared
Oct 09 17:07:24 eos-cinnamon apparmor.systemd[4399]: Error: At least one profile failed to load
Oct 09 17:07:24 eos-cinnamon systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 09 17:07:24 eos-cinnamon systemd[1]: apparmor.service: Failed with result ‘exit-code’.
Oct 09 17:07:24 eos-cinnamon systemd[1]: Failed to start Load AppArmor profiles.

inxi -Fxxxz

System: Kernel: 5.8.14-zen1-1-zen x86_64 bits: 64 compiler: gcc v: 10.2.0 Desktop: Cinnamon 4.6.7 tk: GTK 3.24.23
info: plank wm: muffin dm: LightDM 1.30.0 Distro: Arch Linux
Machine: Type: Laptop System: LENOVO product: 82A2 v: Yoga Slim 7 14ARE05 serial: Chassis: type: 10
v: Yoga Slim 7 14ARE05 serial:
Mobo: LENOVO model: LNVNB161216 v: SDK0J40709 WIN serial: UEFI: LENOVO v: DMCN32WW date: 07/14/2020
Battery: ID-1: BAT1 charge: 61.1 Wh condition: 61.1/60.7 Wh (101%) volts: 17.5/15.4 model: Sunwoda L19D4PF4 type: Li-poly
serial: status: Full cycles: 18
CPU: Info: 8-Core model: AMD Ryzen 7 4800U with Radeon Graphics bits: 64 type: MT MCP arch: Zen rev: 1
L2 cache: 4096 KiB
flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 57488
Speed: 1397 MHz min/max: 1400/1800 MHz boost: enabled Core speeds (MHz): 1: 1397 2: 1397 3: 1397 4: 1396 5: 1397
6: 1396 7: 1397 8: 1396 9: 1397 10: 1397 11: 1397 12: 1397 13: 1397 14: 1396 15: 1396 16: 1396
Graphics: Device-1: Advanced Micro Devices [AMD/ATI] Renoir vendor: Lenovo driver: amdgpu v: kernel bus ID: 03:00.0
chip ID: 1002:1636
Device-2: Chicony Integrated Camera type: USB driver: uvcvideo bus ID: 1-4:4 chip ID: 04f2:b6cb serial:
Display: x11 server: X.Org 1.20.9 driver: amdgpu,ati unloaded: fbdev,modesetting,vesa resolution: 1920x1080~60Hz
s-dpi: 96
OpenGL: renderer: AMD RENOIR (DRM 3.38.0 5.8.14-zen1-1-zen LLVM 10.0.1) v: 4.6 Mesa 20.2.0 direct render: Yes
Audio: Device-1: Advanced Micro Devices [AMD/ATI] vendor: Lenovo driver: snd_hda_intel v: kernel bus ID: 03:00.1
chip ID: 1002:1637
Device-2: Advanced Micro Devices [AMD] Raven/Raven2/FireFlight/Renoir Audio Processor vendor: Lenovo
driver: snd_rn_pci_acp3x v: kernel bus ID: 03:00.5 chip ID: 1022:15e2
Device-3: Advanced Micro Devices [AMD] Family 17h HD Audio vendor: Lenovo driver: snd_hda_intel v: kernel
bus ID: 03:00.6 chip ID: 1022:15e3
Sound Server: ALSA v: k5.8.14-zen1-1-zen
Network: Device-1: Intel Wi-Fi 6 AX200 driver: iwlwifi v: kernel bus ID: 01:00.0 chip ID: 8086:2723
IF: wlan0 state: down mac:
Device-2: Samsung GT-I9070 (network tethering USB debugging enabled) type: USB driver: rndis_host bus ID: 3-2:4
chip ID: 04e8:6864 serial:
IF: enp3s0f4u2 state: unknown speed: N/A duplex: N/A mac:
IF-ID-1: tun0 state: unknown speed: 10 Mbps duplex: full mac: N/A
Drives: Local Storage: total: 983.68 GiB used: 56.54 GiB (5.7%)
ID-1: /dev/nvme0n1 vendor: SK Hynix model: HFS001TD9TNG-L3A0B size: 953.87 GiB speed: 31.6 Gb/s lanes: 4
serial: rev: 80050C10 scheme: GPT
ID-2: /dev/sda type: USB vendor: Generic model: MassStorageClass size: 29.81 GiB serial: rev: 2402
scheme: GPT
Partition: ID-1: / size: 50.00 GiB used: 17.63 GiB (35.3%) fs: btrfs dev: /dev/nvme0n1p4
ID-2: /home size: 50.00 GiB used: 17.63 GiB (35.3%) fs: btrfs dev: /dev/nvme0n1p4
Swap: ID-1: swap-1 type: partition size: 10.00 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/nvme0n1p10
ID-2: swap-2 type: zram size: 512.0 MiB used: 0 KiB (0.0%) priority: 100 dev: /dev/zram0
Sensors: System Temperatures: cpu: 60.0 C mobo: N/A gpu: amdgpu temp: 43.0 C
Fan Speeds (RPM): N/A
Info: Processes: 388 Uptime: 27m Memory: 15.06 GiB used: 1.82 GiB (12.1%) Init: systemd v: 246 Compilers: gcc: 10.2.0
Packages: pacman: 1011 Shell: Bash v: 5.0.18 running in: gnome-terminal inxi: 3.1.07

I would appreciate any help to resolve this issue. Please let me know if I should run any other command to provide more info.

Did you check to ensure you don’t have any pacnew files that need to be merged?

1 Like

No, I did not. I am going to do it now. Thanks for the reply!

1 Like

you can always peak : journalctl -u apparmor.service

and mayby its something partially ? idk :slight_smile:

@dalto

I looked into /etc/apparmor and /etc/apparmor.d. There doesn’t seem to be any pacnew file. Should I be searching somewhere else?

You can run pacdiff

https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave#Managing_.pac*_files

1 Like

@ringo

This is what I get:


journalctl -u apparmor.service
-- Logs begin at Fri 2020-10-09 16:52:48 CEST, end at Fri 2020-10-09 17:38:43 CEST. --
Oct 09 16:52:48 eos-cinnamon apparmor.systemd[361]: Restarting AppArmor
Oct 09 16:52:48 eos-cinnamon apparmor.systemd[361]: Reloading AppArmor profiles
Oct 09 16:52:48 eos-cinnamon apparmor.systemd[378]: Found reference to variable run, but is never declared
Oct 09 16:52:48 eos-cinnamon apparmor.systemd[608]: Found reference to variable run, but is never declared
Oct 09 16:52:49 eos-cinnamon apparmor.systemd[361]: Error: At least one profile failed to load
Oct 09 16:52:49 eos-cinnamon systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 09 16:52:49 eos-cinnamon systemd[1]: apparmor.service: Failed with result 'exit-code'.
Oct 09 16:52:49 eos-cinnamon systemd[1]: Failed to start Load AppArmor profiles.
Oct 09 16:55:55 eos-cinnamon systemd[1]: Starting Load AppArmor profiles...
Oct 09 16:55:55 eos-cinnamon apparmor.systemd[3171]: Restarting AppArmor
Oct 09 16:55:55 eos-cinnamon apparmor.systemd[3171]: Reloading AppArmor profiles
Oct 09 16:55:55 eos-cinnamon apparmor.systemd[3176]: Found reference to variable run, but is never declared
Oct 09 16:55:56 eos-cinnamon apparmor.systemd[3236]: Found reference to variable run, but is never declared
Oct 09 16:55:56 eos-cinnamon apparmor.systemd[3171]: Error: At least one profile failed to load
Oct 09 16:55:56 eos-cinnamon systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 09 16:55:56 eos-cinnamon systemd[1]: apparmor.service: Failed with result 'exit-code'.
Oct 09 16:55:56 eos-cinnamon systemd[1]: Failed to start Load AppArmor profiles.
Oct 09 17:07:23 eos-cinnamon systemd[1]: Starting Load AppArmor profiles...
Oct 09 17:07:23 eos-cinnamon apparmor.systemd[4399]: Restarting AppArmor
Oct 09 17:07:23 eos-cinnamon apparmor.systemd[4399]: Reloading AppArmor profiles
Oct 09 17:07:23 eos-cinnamon apparmor.systemd[4404]: Found reference to variable run, but is never declared
Oct 09 17:07:24 eos-cinnamon apparmor.systemd[4464]: Found reference to variable run, but is never declared
Oct 09 17:07:24 eos-cinnamon apparmor.systemd[4399]: Error: At least one profile failed to load
Oct 09 17:07:24 eos-cinnamon systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 09 17:07:24 eos-cinnamon systemd[1]: apparmor.service: Failed with result 'exit-code'.
Oct 09 17:07:24 eos-cinnamon systemd[1]: Failed to start Load AppArmor profiles.

This is what I get:

pacdiff --output
/etc/pacman.d/mirrorlist.pacnew

Am I doing it correctly?

It looks like there were some pretty substantial changes in version 3.0.

2 Likes

Thanks! I’ll have a look to see if I am able to make heads or tails of it :blush:

Also pay attention if you use it in combination with firejail, as they obviously need to adapt the profile to the new apparmor standard too, see their github.
Apparently 3.0 is a transitory release, in a few months 3.1 will be production-ready; therefore I suspect that if 3.0 becomes a major hassle to adapt, downgrading back to 2.13 might be a good compromise in the meantime.

3 Likes

@dalto, @ringo and @_mk,

Thank you all for your help and support.

I did downgrade apparmor to 2.13 and for the time being everything works as normal again.

Thanks again!

i dit nothing :slight_smile: nvm :slight_smile: hope it fix quickly…

1 Like

You replied. That’s something!
:slightly_smiling_face:

See: https://bugs.archlinux.org/task/68220

For now, I downgraded to the previous 2.x version.

EDIT: as mentioned in the comments in the bugtracker, this could be a fix: https://github.com/netblue30/firejail/commit/bba750c73469ea315d859464ddd19e495d830a72

EDIT 2: yes, I confirm that it fixes the issue with firejail. So just add #include <tunables/global> to /etc/apparmor.d/firejail-default.

2 Likes

The issue seems to be resolved in apparmor 3.0.0-2 .

1 Like