pebcak
September 2, 2020, 9:02am
1
I am trying to integrate firejal with apparmor but enabling apparmor.service seems to fail.
sudo systemctl enable --now apparmor
Created symlink /etc/systemd/system/multi-user.target.wants/apparmor.service → /usr/lib/systemd/system/apparmor.service.
But then:
systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Condition: start condition failed at Wed 2020-09-02 10:47:34 CEST; 39s ago
└─ ConditionSecurity=apparmor was not met
Sep 02 10:47:34 vostro-plasma systemd[1]: Condition check resulted in Load AppArmor profiles being s>
lines 1-7/7 (END)...skipping...
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Condition: start condition failed at Wed 2020-09-02 10:47:34 CEST; 39s ago
└─ ConditionSecurity=apparmor was not met
Sep 02 10:47:34 vostro-plasma systemd[1]: Condition check resulted in Load AppArmor profiles being skipped.
And:
aa-enabled
No - disabled at boot.
Any ideas what could be wrong? I’ll appreciate your help to get this to work.
Did you set the kernel parameters?
"To enable AppArmor as default security model on every boot, set the following kernel parameters:
apparmor=1 lsm=lockdown,yama,apparmor"
https://wiki.archlinux.org/index.php/AppArmor#Installation
https://wiki.archlinux.org/index.php/Kernel_parameters#GRUB
3 Likes
you have to boot kernel before with
apparmor=1 lsm=lockdown,yama,apparmor
2 Likes
pebcak
September 2, 2020, 9:32am
4
Thanks @magtuired , @Stephane for your quick replies!
After posting the op I recalled that I should have added some parameters to the kernel boot command line. Adding apparmor=1 security=apparmor
seems to have resolved the issue:
cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-linux-zen root=UUID=3abad4a5-5c06-417a-b356-45004fe96e73 rw resume=UUID=e5c0
bebe-3ab0-4474-9b40-5df3116b236a resume_offset=1085440 apparmor=1 security=apparmor loglevel=3 nowatc
hdog
After reboot:
systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: active (exited) since Wed 2020-09-02 11:20:11 CEST; 3min 14s ago
Process: 260 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
Main PID: 260 (code=exited, status=0/SUCCESS)
Sep 02 11:20:05 vostro-plasma apparmor.systemd[260]: Restarting AppArmor
Sep 02 11:20:05 vostro-plasma apparmor.systemd[260]: Reloading AppArmor profiles
Sep 02 11:20:11 vostro-plasma systemd[1]: Finished Load AppArmor profiles.
Warning: journal has been rotated since unit was started, output may be incomplete.
aa-enabled
Yes
I will read further on the link that you have posted @magtuired , since both you and @Stephane are mentioning a couple of other parameters to be set.
I think the extra parameters were added with a wiki update at some stage, it used to just be apparmor=1 security=apparmor
but now its apparmor=1 lsm=lockdown,yama,apparmor
I think (not entirely sure why this occurred).
If either post resolved it for you, you could mark it as as solution (and let it be known for once I answered a question).
3 Likes
pebcak
September 2, 2020, 9:42am
6
Thanks for further explanation! I’ll be setting those parameters as well according to the Wiki and read up a bit more.
Once again many thanks to you and @Stephane for pointing out the solution.
3 Likes
NotEvil
September 24, 2021, 2:17pm
7
Is wiki wrong. Now it only say to update the lsm
but it won’t work without the apparmor
variable?