Fail to enable apparmor

I am trying to integrate firejal with apparmor but enabling apparmor.service seems to fail.

sudo systemctl enable --now apparmor
Created symlink /etc/systemd/system/multi-user.target.wants/apparmor.service → /usr/lib/systemd/system/apparmor.service.

But then:

systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
     Active: inactive (dead)
  Condition: start condition failed at Wed 2020-09-02 10:47:34 CEST; 39s ago
             └─ ConditionSecurity=apparmor was not met

Sep 02 10:47:34 vostro-plasma systemd[1]: Condition check resulted in Load AppArmor profiles being s>
lines 1-7/7 (END)...skipping...
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
     Active: inactive (dead)
  Condition: start condition failed at Wed 2020-09-02 10:47:34 CEST; 39s ago
             └─ ConditionSecurity=apparmor was not met

Sep 02 10:47:34 vostro-plasma systemd[1]: Condition check resulted in Load AppArmor profiles being skipped.

And:

aa-enabled
No - disabled at boot.

Any ideas what could be wrong? I’ll appreciate your help to get this to work.

Did you set the kernel parameters?

"To enable AppArmor as default security model on every boot, set the following kernel parameters:

apparmor=1 lsm=lockdown,yama,apparmor"

https://wiki.archlinux.org/index.php/AppArmor#Installation

https://wiki.archlinux.org/index.php/Kernel_parameters#GRUB

4 Likes

you have to boot kernel before with

apparmor=1 lsm=lockdown,yama,apparmor
2 Likes

Thanks @magtuired, @Stephane for your quick replies!

After posting the op I recalled that I should have added some parameters to the kernel boot command line. Adding apparmor=1 security=apparmor seems to have resolved the issue:

cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-linux-zen root=UUID=3abad4a5-5c06-417a-b356-45004fe96e73 rw resume=UUID=e5c0
bebe-3ab0-4474-9b40-5df3116b236a resume_offset=1085440 apparmor=1 security=apparmor loglevel=3 nowatc
hdog

After reboot:

systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
     Active: active (exited) since Wed 2020-09-02 11:20:11 CEST; 3min 14s ago
    Process: 260 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
   Main PID: 260 (code=exited, status=0/SUCCESS)

Sep 02 11:20:05 vostro-plasma apparmor.systemd[260]: Restarting AppArmor
Sep 02 11:20:05 vostro-plasma apparmor.systemd[260]: Reloading AppArmor profiles
Sep 02 11:20:11 vostro-plasma systemd[1]: Finished Load AppArmor profiles.
Warning: journal has been rotated since unit was started, output may be incomplete.
aa-enabled
Yes

I will read further on the link that you have posted @magtuired, since both you and @Stephane are mentioning a couple of other parameters to be set.

I think the extra parameters were added with a wiki update at some stage, it used to just be apparmor=1 security=apparmor but now its apparmor=1 lsm=lockdown,yama,apparmor I think (not entirely sure why this occurred).

If either post resolved it for you, you could mark it as as solution (and let it be known for once I answered a question).

3 Likes

Thanks for further explanation! I’ll be setting those parameters as well according to the Wiki and read up a bit more.

Once again many thanks to you and @Stephane for pointing out the solution.

3 Likes

Is wiki wrong. Now it only say to update the lsm but it won’t work without the apparmor variable?