[pkg-apparmor] Bug#814035: apparmor: init script fails with : Apparmor not available as Kernel LSM

Alban Browaeys prahal at yahoo.com
Sun Feb 7 19:02:52 UTC 2016 

Package: apparmor
Version: 2.10-3
Severity: normal

Dear Maintainer,
with a vanilla boot I end up with apparmor init.d script failure: This for ages.
"
● apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since dim. 2016-02-07 17:21:38 CET; 22min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 948 ExecStart=/etc/init.d/apparmor start (code=exited, status=1/FAILURE)

févr. 07 17:21:37 cyclope systemd[1]: apparmor.service: About to execute: /etc/init.d/apparmor start
févr. 07 17:21:37 cyclope systemd[1]: apparmor.service: Forked /etc/init.d/apparmor as 948
févr. 07 17:21:37 cyclope systemd[948]: apparmor.service: Executing: /etc/init.d/apparmor start
févr. 07 17:21:37 cyclope systemd[1]: apparmor.service: Changed dead -> start
févr. 07 17:21:37 cyclope systemd[1]: Starting LSB: AppArmor initialization...
févr. 07 17:21:37 cyclope apparmor[948]: Starting AppArmor profiles:AppArmor not available as kernel LSM..
févr. 07 17:21:38 cyclope apparmor[948]: failed!
févr. 07 17:21:38 cyclope systemd[1]: apparmor.service: Child 948 belongs to apparmor.service
févr. 07 17:21:38 cyclope systemd[1]: apparmor.service: Control process exited, code=exited status=1
févr. 07 17:21:38 cyclope systemd[1]: apparmor.service: Got final SIGCHLD for state start.
févr. 07 17:21:38 cyclope systemd[1]: apparmor.service: Changed start -> failed
févr. 07 17:21:38 cyclope systemd[1]: apparmor.service: Job apparmor.service/start finished, result=failed
févr. 07 17:21:38 cyclope systemd[1]: Failed to start LSB: AppArmor initialization.
févr. 07 17:21:38 cyclope systemd[1]: apparmor.service: Unit entered failed state.
févr. 07 17:21:38 cyclope systemd[1]: apparmor.service: Failed with result 'exit-code'.
févr. 07 17:21:38 cyclope systemd[1]: apparmor.service: cgroup is empty
"

I do not remind of of enabling SELinux on this station.

For one, this box has a tpm device, which loads tpm_tis, thusfor I have /sys/kernel/security already loaded
as securityfs wirh tpm0 subfolder. It could have been the root cause for the above error as apparmor init script :
"securityfs() {
        # Need securityfs for any mode
        if [ ! -d "${AA_SFS}" ]; then
                if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
                        log_action_msg "AppArmor not available as kernel LSM."
                        log_end_msg 1
                        exit 1
"
as It errors out if securityfs is already loaded but apparmor subfolder does not exists.
But when I blacklisted tpm and tpm_tis, masked trousers init , the error stayed: apparmor init script still failed.

My current workaround is to set security=apparmor on kernel command line.
I tried to add apparmor=1 and it did not helped on its own, not was it required for above worlaround to succeed.

I noticed that : /sys/module/apparmor/parameters/enabled values "N" without the workaround and "Y" if the above workaround
is applied (ie security=apparmor is on the kernel command line).

This with debian linux kernel 4.3.0-1-amd64 (4.3.3-1).

(I got the workaround from 
http://ubuntuforums.org/showthread.php?t=1776873&p=12224340#post12224340)


As an aside I am puzzled, I cannot decioher which is the default LSM from the documentation:
- linux kernel-paramaters.txt (linux kernel) tells:
"
        security=       [SECURITY] Choose a security module to enable at boot.
                        If this boot parameter is not specified, only the first
                        security module asking for security registration will be
                        loaded. An invalid security module name will be treated
                        as if no module has been chosen.
"
- linux kernel Documentationa/security/LSM.txt tells:
"
Without a specific LSM built into the kernel, the default LSM will be the
Linux capabilities system. 
"

In debian kernel we have all builtin specific LSM, but CONFIG_DEFAULT_SECURITY="".
So I guess the first LSM registered apply. BUt how check which one was it at runtime,
in logs or proc/sys filesystems ?
Could it be that even though tpm device module is blackklisted, it still grab LSM default entry ?

Best regards
Alban



-- System Information:
Debian Release: stretch/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.58
ii  libapparmor-perl       2.10-3
ii  libc6                  2.21-7
ii  lsb-base               9.20160110
pn  python3:any            <none>

apparmor recommends no packages.

Versions of packages apparmor suggests:
ii  apparmor-docs            2.10-3
pn  apparmor-profiles        <none>
pn  apparmor-profiles-extra  <none>
ii  apparmor-utils           2.10-3

-- debconf information:
  apparmor/homedirs:

More information about the pkg-apparmor-team mailing list