| View previous topic :: View next topic |
| Author |
Message |
thican
n00b
Joined: 09 Jul 2017
Posts: 17
Location: Earth
|
 Posted: Sat Apr 26, 2025 9:08 pm Post subject: [SOLVED]AppArmor parser […] Could not open 'tunables/global' |
 |
|
Hello,
I have some issue with AppArmor, both with and without it enabled on kernel command line.
It started when I was trying to run incus-user service, following instructions from the Wiki https://wiki.gentoo.org/wiki/Incus. (I also reported this issue on b.g.o: bug 946953 - incus-user service crash)
Incus-user error message:
| Code: | | Error: Failed to apply initial configuration: Failed to create network: Failed to run: apparmor_parser -rWL /var/lib/incus/security/apparmor/cache /var/lib/incus/security/apparmor/profiles/incus_dnsmasq-incusbr0: exit status 1 (AppArmor parser error for /var/lib/incus/security/apparmor/profiles/incus_dnsmasq-incusbr0 in profile /var/lib/incus/security/apparmor/profiles/incus_dnsmasq-incusbr0 at line 1: Could not open 'tunables/global') |
I was wondering why AppArmor was interfering since I didn’t enable it, only pushed support in my kernel `CONFIG_SECURITY_APPARMOR=y` and some USE flags in case I want to actually enable it.
But I set no kernel cmd options such as `lsm=[…]apparmor[…]`, nor `apparmor=1 security=apparmor`, and no boot level service, as described in https://wiki.gentoo.org/wiki/Security_Handbook/Linux_Security_Modules/AppArmor
I noticed I also have this issue when enabling the service apparmor:
| Code: | AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/com.gitlab.chinstrap.gammastep at line 4: Could not open 'tunables/global'
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/firejail-default at line 7: Could not open 'tunables/global'
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/lxc-containers at line 5: Could not open 'tunables/global'
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.bin.lxc-copy at line 1: Could not open 'tunables/global'
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.bin.lxc-start at line 1: Could not open 'tunables/global'
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.libexec.libvirt.virt-aa-helper at line 1: Could not open 'tunables/global'
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.sbin.libvirtd at line 1: Could not open 'tunables/global'
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.sbin.virtqemud at line 1: Could not open 'tunables/global'
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.sbin.virtxend at line 1: Could not open 'tunables/global' |
It also happens with configuration enabled on kernel command line and therefore at boot start-up.
I also noticed this `tunables/global` is expected to be a file (or directory?) under /etc/apparmor.d, as the current files inside this repertory have this instruction:
| Code: | | #include <tunables/global> |
This directory `tunables` is completely missing from /etc/apparmor.d. I have no idea why this is missing, how to regenerate, or if it should be fetched from somewhere.
Do you have some ideas how to fix this issue? Thank you in advance.
Last edited by thican on Sat Apr 26, 2025 10:14 pm; edited 1 time in total |
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5674
Location: Bavaria
|
| Posted: Sat Apr 26, 2025 9:52 pm Post subject: |
|
|
| thican wrote: | [...] I also noticed this `tunables/global` is expected to be a file (or directory?) under /etc/apparmor.d, as the current files inside this repertory have this instruction:
[...]
Do you have some ideas how to fix this issue? Thank you in advance. |
Please emerge the package "sec-policy/apparmor-profiles".
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
thican
n00b
Joined: 09 Jul 2017
Posts: 17
Location: Earth
|
| Posted: Sat Apr 26, 2025 10:13 pm Post subject: [SOLVED] AppArmor parser error […] Could not open 'tunables/ |
|
|
| pietinger wrote: | | thican wrote: | [...] I also noticed this `tunables/global` is expected to be a file (or directory?) under /etc/apparmor.d, as the current files inside this repertory have this instruction:
[...]
Do you have some ideas how to fix this issue? Thank you in advance. |
Please emerge the package "sec-policy/apparmor-profiles". |
Good job, it works! Thanks a lot.
Do you consider it should be an explicit dependency of sys-apps/apparmor, or to every program which add this include? |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5674
Location: Bavaria
|
| Posted: Sat Apr 26, 2025 10:50 pm Post subject: |
|
|
| thican wrote: | | Good job, it works! Thanks a lot. |
You are very Welcome! 
| thican wrote: | | Do you consider it should be an explicit dependency of sys-apps/apparmor, or to every program which add this include? |
No. I am also using AppArmor ... with my own profiles ... I do not accept other people's profiles  So, yes it would be a bad idea if there would be a dependency.
Maybe there should be a dependency to "incus" ... but I cannot judge this because I dont know "incus" (I didn't even know that incus needed AA). Maybe write a bug report for this.
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
thican
n00b
Joined: 09 Jul 2017
Posts: 17
Location: Earth
|
| Posted: Sat Apr 26, 2025 11:44 pm Post subject: |
|
|
| pietinger wrote: | | thican wrote: | | Do you consider it should be an explicit dependency of sys-apps/apparmor, or to every program which add this include? |
No. I am also using AppArmor ... with my own profiles ... I do not accept other people's profiles ;-) So, yes it would be a bad idea if there would be a dependency. |
I see, I didn’t know this.
| pietinger wrote: | | Maybe there should be a dependency to "incus" ... but I cannot judge this because I dont know "incus" (I didn't even know that incus needed AA). Maybe write a bug report for this. |
Already done (mentioned in first message ;-)): bug 946953 - incus-user service crash
Anyway, thanks again (now I have the delight to see permissions denied by audit for simple tasks such as using zgrep…). |
|
| Back to top |
|
|
|
Kernel & Hardware
