Fail to enable apparmor

pebcak · September 2, 2020, 9:02am

I am trying to integrate firejal with apparmor but enabling apparmor.service seems to fail.

sudo systemctl enable --now apparmor
Created symlink /etc/systemd/system/multi-user.target.wants/apparmor.service → /usr/lib/systemd/system/apparmor.service.

But then:

systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
     Active: inactive (dead)
  Condition: start condition failed at Wed 2020-09-02 10:47:34 CEST; 39s ago
             └─ ConditionSecurity=apparmor was not met

Sep 02 10:47:34 vostro-plasma systemd[1]: Condition check resulted in Load AppArmor profiles being s>
lines 1-7/7 (END)...skipping...
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
     Active: inactive (dead)
  Condition: start condition failed at Wed 2020-09-02 10:47:34 CEST; 39s ago
             └─ ConditionSecurity=apparmor was not met

Sep 02 10:47:34 vostro-plasma systemd[1]: Condition check resulted in Load AppArmor profiles being skipped.

And:

aa-enabled
No - disabled at boot.

Any ideas what could be wrong? I’ll appreciate your help to get this to work.

magtuired · September 2, 2020, 9:16am

Did you set the kernel parameters?

"To enable AppArmor as default security model on every boot, set the following kernel parameters:

apparmor=1 lsm=lockdown,yama,apparmor"

https://wiki.archlinux.org/index.php/AppArmor#Installation

https://wiki.archlinux.org/index.php/Kernel_parameters#GRUB

Stephane · September 2, 2020, 9:17am

you have to boot kernel before with

apparmor=1 lsm=lockdown,yama,apparmor

pebcak · September 2, 2020, 9:32am

Thanks @magtuired, @Stephane for your quick replies!

After posting the op I recalled that I should have added some parameters to the kernel boot command line. Adding apparmor=1 security=apparmor seems to have resolved the issue:

cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-linux-zen root=UUID=3abad4a5-5c06-417a-b356-45004fe96e73 rw resume=UUID=e5c0
bebe-3ab0-4474-9b40-5df3116b236a resume_offset=1085440 apparmor=1 security=apparmor loglevel=3 nowatc
hdog

After reboot:

systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
     Active: active (exited) since Wed 2020-09-02 11:20:11 CEST; 3min 14s ago
    Process: 260 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
   Main PID: 260 (code=exited, status=0/SUCCESS)

Sep 02 11:20:05 vostro-plasma apparmor.systemd[260]: Restarting AppArmor
Sep 02 11:20:05 vostro-plasma apparmor.systemd[260]: Reloading AppArmor profiles
Sep 02 11:20:11 vostro-plasma systemd[1]: Finished Load AppArmor profiles.
Warning: journal has been rotated since unit was started, output may be incomplete.

aa-enabled
Yes

I will read further on the link that you have posted @magtuired, since both you and @Stephane are mentioning a couple of other parameters to be set.

magtuired · September 2, 2020, 9:37am

I think the extra parameters were added with a wiki update at some stage, it used to just be apparmor=1 security=apparmor but now its apparmor=1 lsm=lockdown,yama,apparmor I think (not entirely sure why this occurred).

If either post resolved it for you, you could mark it as as solution (and let it be known for once I answered a question).

pebcak · September 2, 2020, 9:42am

Thanks for further explanation! I’ll be setting those parameters as well according to the Wiki and read up a bit more.

Once again many thanks to you and @Stephane for pointing out the solution.

NotEvil · September 24, 2021, 2:17pm

Is wiki wrong. Now it only say to update the lsm but it won’t work without the apparmor variable?