/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apparmor initialization failed #3507

Closed
subproc opened this Issue Jan 30, 2018 · 8 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.2 updates
5 participants
@subproc @marmarek @HW42 @troubadoour @andrewdavidwong
@subproc

subproc commented Jan 30, 2018
edited
Edited 2 times
  • @subproc subproc edited Feb 4, 2018 (most recent)
  • @subproc subproc edited Feb 4, 2018

Qubes OS version:

R3.2 R4.0

Affected TemplateVMs:

all templates

Steps to reproduce the behavior:

after installing apparmor and related packages, like explained in the whonix wiki, and set kernel parameters to "nopat apparmor=1 security=apparmor", there's a working apparmor module with the kernel 4.9.56-21, but switching to the 4.14.13-1 or 4.14.13-2 it's not working at all...

Expected behavior:

having a working apparmor module

Actual behavior:

with the 4.14 kernel if i call "sudo aa-status":
apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Condition: start condition failed
└─ ConditionSecurity=apparmor was not met

General notes:

it seems that there's only support for selinux (disabled) and yama (enabled)

Related issues:

in R3.2 if i want a working apparmor i've to switch back to the 4.9 kernel, but in R4.0 is not an option, so no apparmor at all

@andrewdavidwong andrewdavidwong added bug C: templates labels Jan 31, 2018

@andrewdavidwong andrewdavidwong added this to the Release 3.2 updates milestone Jan 31, 2018

@subproc

This comment has been minimized.

Show comment
Hide comment
@subproc

subproc Feb 2, 2018

it seems that apparmor is disabled at compiling time in qubes os.
CONFIG_SECURITY_APPARMOR=y is commented out in the config as visible in https://github.com/QubesOS/qubes-linux-kernel/blob/stable-4.14/config-qubes
I don't know why 'till the 4.9 the kernel was compiled with apparmor enabled and now not

subproc commented Feb 2, 2018

it seems that apparmor is disabled at compiling time in qubes os.
CONFIG_SECURITY_APPARMOR=y is commented out in the config as visible in https://github.com/QubesOS/qubes-linux-kernel/blob/stable-4.14/config-qubes
I don't know why 'till the 4.9 the kernel was compiled with apparmor enabled and now not
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Feb 5, 2018

Member

@HW42 any reason for not enabling it?
Member

marmarek commented Feb 5, 2018

@HW42 any reason for not enabling it?
@HW42

This comment has been minimized.

Show comment
Hide comment
@HW42

HW42 Feb 5, 2018

No. I just weren't aware of any users so derivating from the Fedora default didn't make sense (see QubesOS/qubes-linux-kernel#13 (comment)).

HW42 commented Feb 5, 2018

No. I just weren't aware of any users so derivating from the Fedora default didn't make sense (see QubesOS/qubes-linux-kernel#13 (comment)).
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Feb 5, 2018

Member

Ok, so lets enable it. And probably also worth updating to 4.14.17.
And to 4.15.1 in master branch (kernel-latest). Can you check if nothing breaks badly and open PRs?
Member

marmarek commented Feb 5, 2018

Ok, so lets enable it. And probably also worth updating to 4.14.17.
And to 4.15.1 in master branch (kernel-latest). Can you check if nothing breaks badly and open PRs?
@HW42

This comment has been minimized.

Show comment
Hide comment
@HW42

HW42 Feb 5, 2018

Ok

HW42 commented Feb 5, 2018

Ok

@HW42 HW42 referenced this issue in QubesOS/qubes-linux-kernel Feb 6, 2018

Merged

Update to 4.14.18 #15

@subproc

This comment has been minimized.

Show comment
Hide comment
@subproc

subproc Feb 17, 2018

thanks a lot, now there's a working apparmor module...i think we can close this ticket

subproc commented Feb 17, 2018

thanks a lot, now there's a working apparmor module...i think we can close this ticket

@marmarek marmarek closed this Feb 17, 2018

@andrewdavidwong andrewdavidwong added the resolved label Feb 18, 2018

@troubadoour

This comment has been minimized.

Show comment
Hide comment
@troubadoour

troubadoour Mar 28, 2018

Was there a kernel update recently?
It looks like this issue is showing again with 4.14.18-1.pvops.qubes.x86_64

Apparmor status reports:

Condition: start condition failed at Wed 2018-03-28 11:41:31 UTC; 15min ago
└─ ConditionSecurity=apparmor was not met

troubadoour commented Mar 28, 2018

Was there a kernel update recently?
It looks like this issue is showing again with 4.14.18-1.pvops.qubes.x86_64

Apparmor status reports:

Condition: start condition failed at Wed 2018-03-28 11:41:31 UTC; 15min ago
└─ ConditionSecurity=apparmor was not met

@andrewdavidwong andrewdavidwong reopened this Mar 29, 2018

@andrewdavidwong andrewdavidwong removed the resolved label Mar 29, 2018

@troubadoour

This comment has been minimized.

Show comment
Hide comment
@troubadoour

troubadoour Mar 29, 2018

This was a false alarm. Some trouble after reinstalling AppArmor.
Thanks for re-opening, it can be closed again.

troubadoour commented Mar 29, 2018

This was a false alarm. Some trouble after reinstalling AppArmor.
Thanks for re-opening, it can be closed again.

@andrewdavidwong andrewdavidwong closed this Mar 30, 2018

@andrewdavidwong andrewdavidwong added the resolved label Mar 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment