Ubuntu
apparmor package

apparmor does not load profiles - unable to register Apparmor" message

Bug #177924 reported by Harvey Muller
36
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

Binary package hint: apparmor

I am currently testing a recent daily version of Hardy Alpha 1 Desktop amd64, dated 20071218. This issue is not present in Gutsy.

The apparmor module appears not to be properly built. The problem presents itself initially in the dmesg log facility. Apparmor emits the following message:

    AppArmor: Unable to register Apparmor

 "sudo /etc/init.d/apparmor start" results in:

    $Loading AppArmor module: Failed.

"sudo modprobe apparmor" results in:

    FATAL: Module apparmor not found.

"sudo find / -name apparmor.ko -print" results in:

    /lib/modules/2.6.22-14-generic/ubuntu/security/apparmor/apparmor.ko

"sudo insmod /lib/modules/2.6.22-14-generic/ubuntu/security/apparmor/apparmor.ko" results in:

    insmod: error inserting '/lib/modules/2.6.22-14-generic/ubuntu/security/apparmor/apparmor.ko': -1 Invalid module format

I don't think this is a kernel bug, but will attach the standard kernel bug attachments just in case.

Any questions will be answered promptly.

Harvey

Tags: iso-testing
Revision history for this message
Harvey Muller (hlmuller) wrote :
Revision history for this message
Harvey Muller (hlmuller) wrote :
Revision history for this message
Harvey Muller (hlmuller) wrote :
Revision history for this message
Harvey Muller (hlmuller) wrote :
Revision history for this message
Karl.Mo (partyboi2) wrote :

I also am having the same problem and receiving the same output for the commands listed above. However I am using a 32bit machine.

Revision history for this message
Nanley Chery (nanoman) wrote :

I can confirm this on two 32-bit computers running Hardy Alpha 2.

Changed in apparmor:
status: New → Confirmed
Revision history for this message
Pramod Dematagoda (pmdematagoda) wrote : Re: [Hardy Alpha 32, 64] Invalid module format

Confirmed on Ubuntu 8.04 32 bit running kernel 2.6.24.

Revision history for this message
lembregtse (eric-lembregts) wrote : Re: [Hardy Alpha 2 i386/amd64] Invalid module format

I can confirm this on the latest Ubuntu 8i.04 32bit alpha2 version.

Revision history for this message
sam tygier (samtygier) wrote :

i am testing on powerpc. booting fails. the last message is
[ 1.919498] AppArmor: Unable to register AppArmor

then i am left at a flashing prompt.

Revision history for this message
kaparen (kaparen) wrote :

also I can confirm this, running 32-bit Hardy Alpha 2.

Revision history for this message
Nanley Chery (nanoman) wrote :

OK, no more confirmation posts. I think this bug is pretty much confirmed.

Revision history for this message
Kees Cook (kees) wrote :

New upstream tools and scripts are being built now for the newer AppArmor release in the 2.6.24 kernel.

Changed in apparmor:
assignee: nobody → keescook
status: Confirmed → In Progress
Revision history for this message
Kees Cook (kees) wrote : Re: [Hardy Alpha 2 i386/amd64] apparmor does not load profiles

Additionally, there is a bug in the module load order that will be fixed shortly. Until the next kernel release is available, we will need to boot with "capability.disable=1" as a kernel parameter to keep the redundant capability LSM out of the way so that AppArmor can load.

Revision history for this message
Kees Cook (kees) wrote :

This is fixed in linux 2.6.24-4.7 (note that linux-meta has not yet been updated).

Changed in apparmor:
status: In Progress → Fix Released
Revision history for this message
neeeeeeeeeewp (neeeeeeeeeewp-deactivatedaccount) wrote :

App armor is not loading profiles for me on newly upgraded hardy.
Calling aa-enforce or apparmor_parser --add or --replace cause apparmor_parser to hang at 100% cpu requiring manual reboot.

Booting with capability.disable=1 did not have any effect.

~#uname -a
Linux Fray 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686 GNU/Linux

~#modprobe apparmor
FATAL: Module apparmor not found.

~# /etc/init.d/apparmor force-reload
Reloading AppArmor profiles Warning: found /etc/apparmor.d/force-complain/usr.sbin.mysqld, forcing complain mode
: done.

Attached a messages log of attempting to enforce a relatively simple profile:

/home/reet/dostuff.bash flags=(complain) {
 /bin/* rmix,
 /usr/lib/locale/* r,
 /proc/meminfo r,
 /lib/ld*so* rmix,
 /etc/locale* r,
 /dev/tty rw,
 /lib/* rmix,
 /etc/ld.so.cache r,
 /lib/tls/i686/cmov/lib*.so mr,
 /usr/lib/** r,
 /usr/share/** r,
 /home/reet/dostuff.bash r,
 /tmp/bleep rw,
}

This worked fine as far as enforcing and complaining prior to dist-upgrade.

Am I doing something obviously wrong here?

Thanks,
mac

Revision history for this message
neeeeeeeeeewp (neeeeeeeeeewp-deactivatedaccount) wrote :

Followup:
I think the issue may be an old profile sitting in enforce mode during dist-upgrade that didn't get handled properly.

I was able to load the profile from scratch properly on a clean heron install on another machine.

tldr "nevermind i fixed it"

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.