# [SOLVED] OpenRC does not start AppArmor at boot

## yoshi_26_02

Hi,

AppArmor does not start at boot despite the fact it is enabled in boot runlevel.

System status after boot:

```
# apparmor_status

apparmor module is loaded.

0 profiles are loaded.

0 profiles are in enforce mode.

0 profiles are in complain mode.

0 processes have profiles defined.

0 processes are in enforce mode.

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

```

```

# rc-service apparmor status

 * status: stopped

```

When I start it manually, everything is OK:

```
# rc-service apparmor start

 * Starting AppArmor ...

 *   Loading AppArmor profiles ...

```

```

# apparmor_status

apparmor module is loaded.

50 profiles are loaded.

48 profiles are in enforce mode.

   /usr/lib/apache2/mpm-prefork/apache2

   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI

   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT

   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo

   /usr/lib/dovecot/anvil

   /usr/lib/dovecot/auth

   /usr/lib/dovecot/config

   /usr/lib/dovecot/deliver

   /usr/lib/dovecot/dict

   /usr/lib/dovecot/dovecot-auth

   /usr/lib/dovecot/dovecot-lda

   /usr/lib/dovecot/dovecot-lda//sendmail

   /usr/lib/dovecot/imap

   /usr/lib/dovecot/imap-login

   /usr/lib/dovecot/lmtp

   /usr/lib/dovecot/log

   /usr/lib/dovecot/managesieve

   /usr/lib/dovecot/managesieve-login

   /usr/lib/dovecot/pop3

   /usr/lib/dovecot/pop3-login

   /usr/lib/dovecot/ssl-params

   /usr/lib/dovecot/stats

   /usr/sbin/dnsmasq

   /usr/sbin/dnsmasq//libvirt_leaseshelper

   apache2

   apache2//DEFAULT_URI

   apache2//HANDLING_UNTRUSTED_INPUT

   apache2//phpsysinfo

   avahi-daemon

   dovecot

   identd

   klogd

   libvirtd

   lsb_release

   mdnsd

   nmbd

   nscd

   ntpd

   nvidia_modprobe

   nvidia_modprobe//kmod

   ping

   smbd

   smbldap-useradd

   smbldap-useradd///etc/init.d/nscd

   syslog-ng

   syslogd

   traceroute

   winbindd

2 profiles are in complain mode.

   libvirtd//qemu_bridge_helper

   virt-aa-helper

0 processes have profiles defined.

0 processes are in enforce mode.

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

```

OpenRC configuration:

```

# rc-config list boot

Init scripts to be started by runlevel boot

  apparmor

  binfmt

  bootmisc

  fsck

  hostname

  hwclock

  keymaps

  localmount

  loopback

  lvm

  modules

  mtab

  opentmpfiles-setup

  procfs

  root

  save-keymaps

  save-termencoding

  swap

  sysctl

  termencoding

  urandom

```

I don't get why it isn't started at boot.

You will find OpenRC logs on PasteBin.

Thank you.

Edit: Here is the OpenRC logs with rc_verbose=yes.

There is nothing about apparmor in it.Last edited by yoshi_26_02 on Tue Feb 18, 2020 11:01 pm; edited 1 time in total

----------

## freke

Is anything AppArmor-related in dmesg-output?

I have

```
mail ~ # dmesg | grep -i apparmor

[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.4.10-gentoo root=/dev/sda1 ro rootfstype=ext4 splash console=ttyS0,115200n8 apparmor=1 security=apparmor

[    0.548564] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.4.10-gentoo root=/dev/sda1 ro rootfstype=ext4 splash console=ttyS0,115200n8 apparmor=1 security=apparmor

[    4.362542] AppArmor: AppArmor initialized

[    5.405679] AppArmor: AppArmor Filesystem Enabled

[    6.672520] AppArmor: AppArmor sha1 policy hashing enabled

[   19.273866] audit: type=1400 audit(1578776073.091:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="ping" pid=2106 comm="apparmor_parser"

[   20.211804] audit: type=1400 audit(1578776074.027:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslog-ng" pid=2119 comm="apparmor_parser"
```

And in rc.log AppArmor is the very first boot-service to start

```
rc boot logging started at Sat Jan 11 21:54:32 2020

 * Starting AppArmor ...

 *   Loading AppArmor profiles ...

 [ ok ]

 * Setting system clock using the hardware clock [UTC] ...

 [ ok ]

 * Mounting misc binary format filesystem ...

 [ ok ]

 * Loading custom binary format handlers ...

 [ ok ]

 * Remounting root filesystem read/write ...

 [ ok ]

 * Remounting filesystems ...

 [ ok ]

 * Updating /etc/mtab ...

 * Creating mtab symbolic link

 [ ok ]

 * Activating swap devices ...

 [ ok ]

 * Configuring kernel parameters ...

 [ ok ]

 * Creating user login records ...

 [ ok ]

 * Wiping /tmp directory ...

 [ ok ]

 * Setting hostname to mail.vlh.dk  ...

 [ ok ]

 * Starting infnoise ...

 [ ok ]

 * Setting terminal encoding [UTF-8] ...

 [ ok ]

 * Setting keyboard mode [UTF-8] ...

 [ ok ]

 * Loading key mappings [dk-latin1] ...

 [ ok ]

 * Fixing font for euro symbol ...

 [ ok ]

 * Bringing up network interface lo ...

 [ ok ]

 * Saving key mapping ...

 [ ok ]

 * Saving terminal encoding ...

 [ ok ]

 * Initializing random number generator ...

 [ ok ]

rc boot logging stopped at Sat Jan 11 21:54:37 2020
```

----------

## yoshi_26_02

Here is the dmesg output:

```
# dmesg | grep -i apparmor

[    0.266123] AppArmor: AppArmor initialized

[    0.622803] AppArmor: AppArmor Filesystem Enabled

[    1.568683] AppArmor: AppArmor sha1 policy hashing enabled

```

When I start it manually with "rc-service apparmor start" I get this in dmesg:

```
dmesg | grep -i apparmor

[    0.266123] AppArmor: AppArmor initialized

[    0.622803] AppArmor: AppArmor Filesystem Enabled

[    1.568683] AppArmor: AppArmor sha1 policy hashing enabled

[187741.195626] audit: type=1400 audit(1578879994.228:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="ping" pid=17094 comm="apparmor_parser"

[187741.244118] audit: type=1400 audit(1578879994.276:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=17110 comm="apparmor_parser"

[187741.285720] audit: type=1400 audit(1578879994.318:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=17117 comm="apparmor_parser"

[187741.285827] audit: type=1400 audit(1578879994.318:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=17117 comm="apparmor_parser"

[187741.308514] audit: type=1400 audit(1578879994.341:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="klogd" pid=17124 comm="apparmor_parser"

[187741.381981] audit: type=1400 audit(1578879994.414:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslog-ng" pid=17131 comm="apparmor_parser"

[187741.437542] audit: type=1400 audit(1578879994.470:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslogd" pid=17138 comm="apparmor_parser"

[187741.644599] audit: type=1400 audit(1578879994.677:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2" pid=17148 comm="apparmor_parser"

[187741.644690] audit: type=1400 audit(1578879994.677:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=17148 comm="apparmor_parser"

[187741.644695] audit: type=1400 audit(1578879994.677:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT" pid=17148 comm="apparmor_parser"

```

----------

## yoshi_26_02

Solved:

My initramfs did not mount the /usr partition, keeping OpenRC from accessing the file containing AppArmor functions which is in /usr.

The error was in the sysinit phase so not logged in /var/log/rc.log.

```
/lib/rc/sh/gendepends.sh: 59: .: Can't open /usr/libexec/rc.apparmor.function
```

Mounting /usr during initramfs solved the problem.

----------

