[pkg-apparmor] Bug#1108918: apparmor complains "too many states" on start, hanging boot for 1m25s

Athanasius debian at miggy.org
Mon Jul 7 20:00:25 BST 2025 

Package: apparmor
Version: 4.1.0-1
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***
I just upgraded this system from bookworm to trixie.  Upon rebooting
apparmor.service takes 1m25s to clear, with the following logged once
boot completes:

Jul 07 16:52:33 emilia apparmor.systemd[1394]: Too many states (113602) for type state_t
Jul 07 16:52:33 emilia apparmor.systemd[1281]: Error: At least one profile failed to load

  I can't find any reference to that 'Too many states' message on either
DuckDuckGo or Google.
  This is mostly using my own compiled, .deb packaged, kernel, currently
using 6.12.36 sources, *but* there's no change in the behaviour using
6.12.33+deb13-amd64 from trixie.
  There was no such problem under bookworm.

  Is there some kernel, or otherwise, tunable that needs increasing?  Or
do I have some profile that is blowing things up ?  `aa-status` shows
plenty of profiles loaded, with various processes in various
enforce/complain/etc modes.

  The `Kernel taint flags: TAINT_OOT_MODULE` below is due to the nvidia
binary GPU modules.

-- System Information:
Debian Release: 13.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.36-athan (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.91
ii  libc6                  2.41-9

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles-extra  <none>
ii  apparmor-utils           4.1.0-1

-- Configuration Files:
/etc/apparmor.d/tunables/home.d/site.local changed:
@{HOMEDIRS}+=/home/users/


-- debconf information:
* apparmor/homedirs: /home/users/

-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

More information about the pkg-apparmor-team mailing list