Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] OpenRC does not start AppArmor at boot
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
yoshi_26_02
n00b
n00b


Joined: 17 Jun 2019
Posts: 21
Location: Gensokyo

PostPosted: Fri Jan 10, 2020 4:51 pm    Post subject: [SOLVED] OpenRC does not start AppArmor at boot Reply with quote

Hi,

AppArmor does not start at boot despite the fact it is enabled in boot runlevel.

System status after boot:

Code:
# apparmor_status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.


Code:

# rc-service apparmor status
 * status: stopped


When I start it manually, everything is OK:

Code:
# rc-service apparmor start
 * Starting AppArmor ...
 *   Loading AppArmor profiles ...


Code:

# apparmor_status
apparmor module is loaded.
50 profiles are loaded.
48 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/dovecot-lda//sendmail
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/lib/dovecot/stats
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dovecot
   identd
   klogd
   libvirtd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
   winbindd
2 profiles are in complain mode.
   libvirtd//qemu_bridge_helper
   virt-aa-helper
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.


OpenRC configuration:

Code:

# rc-config list boot
Init scripts to be started by runlevel boot
  apparmor
  binfmt
  bootmisc
  fsck
  hostname
  hwclock
  keymaps
  localmount
  loopback
  lvm
  modules
  mtab
  opentmpfiles-setup
  procfs
  root
  save-keymaps
  save-termencoding
  swap
  sysctl
  termencoding
  urandom


I don't get why it isn't started at boot.
You will find OpenRC logs on PasteBin.
Thank you.

Edit: Here is the OpenRC logs with rc_verbose=yes.
There is nothing about apparmor in it.


Last edited by yoshi_26_02 on Tue Feb 18, 2020 11:01 pm; edited 1 time in total
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 588
Location: Somewhere in Denmark

PostPosted: Sun Jan 12, 2020 8:24 pm    Post subject: Reply with quote

Is anything AppArmor-related in dmesg-output?

I have
Code:
mail ~ # dmesg | grep -i apparmor
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.4.10-gentoo root=/dev/sda1 ro rootfstype=ext4 splash console=ttyS0,115200n8 apparmor=1 security=apparmor
[    0.548564] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.4.10-gentoo root=/dev/sda1 ro rootfstype=ext4 splash console=ttyS0,115200n8 apparmor=1 security=apparmor
[    4.362542] AppArmor: AppArmor initialized
[    5.405679] AppArmor: AppArmor Filesystem Enabled
[    6.672520] AppArmor: AppArmor sha1 policy hashing enabled
[   19.273866] audit: type=1400 audit(1578776073.091:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="ping" pid=2106 comm="apparmor_parser"
[   20.211804] audit: type=1400 audit(1578776074.027:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslog-ng" pid=2119 comm="apparmor_parser"

And in rc.log AppArmor is the very first boot-service to start
Code:
rc boot logging started at Sat Jan 11 21:54:32 2020

 * Starting AppArmor ...
 *   Loading AppArmor profiles ...
 [ ok ]
 * Setting system clock using the hardware clock [UTC] ...
 [ ok ]
 * Mounting misc binary format filesystem ...
 [ ok ]
 * Loading custom binary format handlers ...
 [ ok ]
 * Remounting root filesystem read/write ...
 [ ok ]
 * Remounting filesystems ...
 [ ok ]
 * Updating /etc/mtab ...
 * Creating mtab symbolic link
 [ ok ]
 * Activating swap devices ...
 [ ok ]
 * Configuring kernel parameters ...
 [ ok ]
 * Creating user login records ...
 [ ok ]
 * Wiping /tmp directory ...
 [ ok ]
 * Setting hostname to mail.vlh.dk  ...
 [ ok ]
 * Starting infnoise ...
 [ ok ]
 * Setting terminal encoding [UTF-8] ...
 [ ok ]
 * Setting keyboard mode [UTF-8] ...
 [ ok ]
 * Loading key mappings [dk-latin1] ...
 [ ok ]
 * Fixing font for euro symbol ...
 [ ok ]
 * Bringing up network interface lo ...
 [ ok ]
 * Saving key mapping ...
 [ ok ]
 * Saving terminal encoding ...
 [ ok ]
 * Initializing random number generator ...
 [ ok ]

rc boot logging stopped at Sat Jan 11 21:54:37 2020
Back to top
View user's profile Send private message
yoshi_26_02
n00b
n00b


Joined: 17 Jun 2019
Posts: 21
Location: Gensokyo

PostPosted: Mon Jan 13, 2020 1:49 am    Post subject: Reply with quote

Here is the dmesg output:

Code:
# dmesg | grep -i apparmor
[    0.266123] AppArmor: AppArmor initialized
[    0.622803] AppArmor: AppArmor Filesystem Enabled
[    1.568683] AppArmor: AppArmor sha1 policy hashing enabled


When I start it manually with "rc-service apparmor start" I get this in dmesg:

Code:
dmesg | grep -i apparmor
[    0.266123] AppArmor: AppArmor initialized
[    0.622803] AppArmor: AppArmor Filesystem Enabled
[    1.568683] AppArmor: AppArmor sha1 policy hashing enabled
[187741.195626] audit: type=1400 audit(1578879994.228:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="ping" pid=17094 comm="apparmor_parser"
[187741.244118] audit: type=1400 audit(1578879994.276:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=17110 comm="apparmor_parser"
[187741.285720] audit: type=1400 audit(1578879994.318:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=17117 comm="apparmor_parser"
[187741.285827] audit: type=1400 audit(1578879994.318:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=17117 comm="apparmor_parser"
[187741.308514] audit: type=1400 audit(1578879994.341:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="klogd" pid=17124 comm="apparmor_parser"
[187741.381981] audit: type=1400 audit(1578879994.414:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslog-ng" pid=17131 comm="apparmor_parser"
[187741.437542] audit: type=1400 audit(1578879994.470:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslogd" pid=17138 comm="apparmor_parser"
[187741.644599] audit: type=1400 audit(1578879994.677:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2" pid=17148 comm="apparmor_parser"
[187741.644690] audit: type=1400 audit(1578879994.677:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=17148 comm="apparmor_parser"
[187741.644695] audit: type=1400 audit(1578879994.677:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT" pid=17148 comm="apparmor_parser"
Back to top
View user's profile Send private message
yoshi_26_02
n00b
n00b


Joined: 17 Jun 2019
Posts: 21
Location: Gensokyo

PostPosted: Tue Feb 18, 2020 11:01 pm    Post subject: Reply with quote

Solved:
My initramfs did not mount the /usr partition, keeping OpenRC from accessing the file containing AppArmor functions which is in /usr.
The error was in the sysinit phase so not logged in /var/log/rc.log.
Code:
/lib/rc/sh/gendepends.sh: 59: .: Can't open /usr/libexec/rc.apparmor.function

Mounting /usr during initramfs solved the problem.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum