apparmor profiles do not load after reboot on Arch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
New
|
Undecided
|
Unassigned |
Bug Description
I installed snap on Arch Linux and followed the Arch Wiki guide to set up AppArmor (https:/
However, snaps fail to launch.
[evan@evan-
cannot change profile for the next exec call: No such file or directory
snap-update-ns failed with code 1
By running aa-status, I can see that 52 profiles are loaded but none are about the hello-world snap.
[evan@evan-
[sudo] password for evan:
apparmor module is loaded.
52 profiles are loaded.
52 profiles are in enforce mode.
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
apache2
apache2/
apache2/
apache2/
avahi-daemon
dnsmasq
dnsmasq/
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-
dovecot-
dovecot-
dovecot-imap
dovecot-
dovecot-lmtp
dovecot-log
dovecot-
dovecot-
dovecot-pop3
dovecot-
dovecot-
dovecot-
dovecot-stats
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_
php-fpm
ping
samba-bgqd
smbd
smbldap-useradd
smbldap-
syslog-ng
syslogd
traceroute
winbindd
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
However, if I remove the hello-world snap and reinstall it, I can see that 57 apparmor profiles are loaded, including ones about the hello-world snap.
[evan@evan-
apparmor module is loaded.
57 profiles are loaded.
57 profiles are in enforce mode.
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
apache2
apache2/
apache2/
apache2/
avahi-daemon
dnsmasq
dnsmasq/
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-
dovecot-
dovecot-
dovecot-imap
dovecot-
dovecot-lmtp
dovecot-log
dovecot-
dovecot-
dovecot-pop3
dovecot-
dovecot-
dovecot-
dovecot-stats
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_
php-fpm
ping
samba-bgqd
smbd
smbldap-useradd
smbldap-
snap-
snap.
snap.
snap.
snap.
syslog-ng
syslogd
traceroute
winbindd
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
The snap runs correctly now that it has an apparmor profile (and as a side note, I tested the hello-world.evil and the confinement did work correctly), but will no longer work after a reboot due to the profiles not loading correctly. By going to /var/lib/
Additonal info about system:
[evan@evan-
snap 2.56.3-1
snapd 2.56.3-1
series 16
arch -
kernel 5.18.14-arch1-1
I am also reinstalling Ubuntu very soon, so I'm going to try and give as much information as I can before doing so.
[evan@evan- archlinux ~]$ neofetch
OS: Arch Linux x86_64
Host: MS-7C56 2.0
Kernel: 5.18.14-arch1-1
Uptime: 38 mins
Packages: 668 (pacman), 15 (snap)
Shell: bash 5.1.16
Resolution: 1920x1080
DE: GNOME 42.3.1
WM: Mutter
WM Theme: Adwaita
Theme: adw-gtk3 [GTK2/3]
Icons: Adwaita [GTK2/3]
Terminal: gnome-terminal
CPU: AMD Ryzen 5 5600X (12) @ 3.700GHz
GPU: AMD ATI Radeon RX 6700/6700 XT/6750 XT / 6800M
Memory: 1462MiB / 15920MiB
[evan@evan- archlinux ~]$ snap list 19-g98f9e67. 98f9e67 161 latest/stable canonical✓ - integration 0.1 14 latest/stable canonical✓ -
Name Version Rev Tracking Publisher Notes
adw-gtk3-theme 1.0 1 latest/stable mj-keyle -
bare 1.0 5 latest/stable canonical✓ base
bitwarden 2022.6.2 72 latest/stable bitwarden✓ -
core 16-2.56.2 13425 latest/stable canonical✓ core
core18 20220706 2538 latest/stable canonical✓ base
core20 20220706 1581 latest/stable canonical✓ base
firefox 102.0.1-1 1551 latest/stable mozilla✓ -
gnome-3-28-1804 3.28.0-
gnome-3-38-2004 0+git.891e5bc 112 latest/stable canonical✓ -
gtk-common-themes 0.1-81-g442e511 1535 latest/stable canonical✓ -
hello-world 6.4 29 latest/stable canonical✓ -
nvim v0.7.0 2181 latest/stable neovim-snap classic
snapd 2.56.2 16292 latest/stable canonical✓ snapd
snapd-desktop-
[evan@evan- archlinux ~]$ systemctl status apparmor systemd/ system/ apparmor. service; enabled; preset: disabled)
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/
Active: active (exited) since Sun 2022-07-24 18:19:27 EDT; 42min ago
Main PID: 1362 (code=exited, status=0/SUCCESS)
CPU: 3.483s
Jul 24 18:19:26 evan-archlinux apparmor. systemd[ 1362]: Restarting AppArmor systemd[ 1362]: Reloading AppArmor profiles
Jul 24 18:19:26 evan-archlinux apparmor.
Jul 24 18:19:27 evan-archlinux systemd[1]: Finished Load AppArmor profiles.
Notice: journal has been rotated since unit was started, output may be incomplete.
[evan@evan- archlinux ~]$ systemctl status snapd systemd/ system/ snapd.service; disabled; preset: disabled) slice/snapd. service snapd/snapd
● snapd.service - Snap Daemon
Loaded: loaded (/usr/lib/
Active: active (running) since Sun 2022-07-24 18:23:49 EDT; 39min ago
TriggeredBy: ● snapd.socket
Main PID: 3687 (snapd)
Tasks: 19 (limit: 19079)
Memory: 79.9M
CPU: 1.509s
CGroup: /system.
└─3687 /usr/lib/
Jul 24 18:23:49 evan-archlinux snapd[3687]: overlord.go:268: Acquired state lock file
Jul 24 18:23:49...