upgrade to 15.4, apparmor fails

dear Community

I just upgraded one of my Computers to 15.4 (several others are running it fine)

• kernel 5.14.21-150400.24.18-default
• NAME=“openSUSE Leap” VERSION=“15.4” ID=“opensuse-leap” ID_LIKE="suse opensuse"VERSION_ID=“15.4” PRETTY_NAME=“openSUSE Leap 15.4” ANSI_COLOR=“0;32”
  CPE_NAME=“cpe:/o:opensuse:leap:15.4”

Suddenly I noticed that my wekan snap service does not load. A look in the logs showed that wekan.apparmor isn’t loading.
So I searched the sysjournal and found out the apparmor service on my computer has failed:

Aug 30 19:41:32 … systemd[1]: Starting Load AppArmor profiles…
Aug 30 19:41:32 … apparmor.systemd[18448]: Restarting AppArmor
Aug 30 19:41:32 … apparmor.systemd[18448]: Reloading AppArmor profiles
Aug 30 19:41:32 … apparmor.systemd[18452]: Found reference to variable run, but is never declared
Aug 30 19:41:32 … apparmor.systemd[18455]: Found reference to variable run, but is never declared
Aug 30 19:41:32 … apparmor.systemd[18456]: Found reference to variable run, but is never declared
…
Aug 30 19:41:56 … systemd[1]: snap.wekan.mongodb.service: Main process exited, code=exited, status=1/FAILURE
Aug 30 19:41:56 … systemd[1]: snap.wekan.mongodb.service: Failed with result ‘exit-code’.
Aug 30 19:41:56 … wekan.caddy[19006]: missing profile snap.wekan.caddy.
Aug 30 19:41:56 … wekan.caddy[19006]: Please make sure that the snapd.apparmor service is enabled and started
Aug 30 19:41:56 … systemd[1]: snap.wekan.caddy.service: Main process exited, code=exited, status=1/FAILURE
Aug 30 19:41:56 … systemd[1]: snap.wekan.caddy.service: Failed with result ‘exit-code’.
Aug 30 19:41:56 … wekan.wekan[19008]: missing profile snap.wekan.wekan.
Aug 30 19:41:56 … systemd[1]: Stopped Service for snap application wekan.caddy.
Aug 30 19:41:56 … systemd[1]: snap.wekan.caddy.service: Start request repeated too quickly.
Aug 30 19:41:56 … systemd[1]: snap.wekan.caddy.service: Failed with result ‘exit-code’.
Aug 30 19:41:56 … systemd[1]: Failed to start Service for snap application wekan.caddy.
Aug 30 19:41:56 … systemd[1]: Stopped Service for snap application wekan.mongodb.
Aug 30 19:41:56 … systemd[1]: snap.wekan.mongodb.service: Start request repeated too quickly.
Aug 30 19:41:56 … systemd[1]: snap.wekan.mongodb.service: Failed with result ‘exit-code’.
Aug 30 19:41:56 … systemd[1]: Failed to start Service for snap application wekan.mongodb.
Aug 30 19:41:56 … systemd[1]: Stopped Service for snap application wekan.wekan.
Aug 30 19:41:56 … systemd[1]: snap.wekan.wekan.service: Start request repeated too quickly.
Aug 30 19:41:56 … systemd[1]: snap.wekan.wekan.service: Failed with result ‘exit-code’.
Aug 30 19:41:56 … systemd[1]: Failed to start Service for snap application wekan.wekan.
Aug 30 19:42:01 … systemd[1]: snap.wekan.wekan.service: Start request repeated too quickly.
Aug 30 19:42:01 … systemd[1]: snap.wekan.wekan.service: Failed with result ‘exit-code’.
Aug 30 19:42:01 … systemd[1]: Failed to start Service for snap application wekan.wekan.

( I have replaced the computername with “…” for security reasons, but that is marginal)

• A reboot didn’t change anything
• I have several other small problems with the new system which e.g. prevent me from loading another kernel because I can’t seen the grub boot screen. And also I have only 2 kernels:
  kernel-default-5.14.21-150400.22.1.x86_64
  kernel-default-5.14.21-150400.24.18.1.x86_64
  the latter is running. I guess the differnece is only marginal. The old 5.3 kernels are gone.
• I have found nothing on the web concerning this problem. I have done zypper up, but it is on the latest now.

Can anyone help with this particular problem or is it a known bug?

Thanks!

Cellocommander

Really dots? rotfl!
Dots are not permitted…only alphanumerical…

Never mind about the computer name.
Can somebody help?

You added computer text as quote so it is not included on replies which makes it impossible to comment on output lines in the proper context. There are tags [noparse]

...

[/noparse] for that. As for your problem - show output of

ls -l /etc/apparmor.d/tunables

 # ls -l /etc/apparmor.d/tunablesinsgesamt 76
-rw-r--r-- 1 root root  624  8. Mai 07:41 alias
-rw-r--r-- 1 root root  375  8. Mai 07:41 apparmorfs
-rw-r--r-- 1 root root  804  8. Mai 07:41 dovecot
-rw-r--r-- 1 root root 1077  8. Mai 07:41 etc
-rw-r--r-- 1 root root  694  7. Aug 2019  global
-rw-r--r-- 1 root root  759  8. Mai 07:41 global.rpmnew
-rw-r--r-- 1 root root  982  8. Mai 07:41 home
drwxr-xr-x 2 root root 4096 29. Aug 23:19 home.d
-rw-r--r-- 1 root root 1391  8. Mai 07:41 kernelvars
-rw-r--r-- 1 root root  630  8. Mai 07:41 multiarch
drwxr-xr-x 2 root root 4096 29. Aug 23:19 multiarch.d
-rw-r--r-- 1 root root  533  8. Mai 07:41 ntpd
-rw-r--r-- 1 root root  440  8. Mai 07:41 proc
-rw-r--r-- 1 root root   23  8. Mai 07:41 run
-rw-r--r-- 1 root root  405  8. Mai 07:41 securityfs
-rw-r--r-- 1 root root  819  8. Mai 07:41 share
-rw-r--r-- 1 root root  378  8. Mai 07:41 sys
-rw-r--r-- 1 root root  867  8. Mai 07:41 xdg-user-dirs
drwxr-xr-x 2 root root 4096 29. Aug 23:19 xdg-user-dirs.d

Ok. anything special here? Thanks for helping

From where did you obtain the “wekan” you’ve installed on your system?

• Did you install it by means of Canonical’s snapcraft
  “snapd” (Snap Store)? – <https://snapcraft.io/install/wekan/opensuse&gt;

I notice that, there’s a new wekan version being tested – <https://snapcraft.io/wekan&gt; – candidate/beta version 6.39 dated 21 August 2022 …

• Whether or not a repair is in that version for your issue, can only be answered by looking at Canonical’s Change Logs for the product.

Please use “journalctl --no-hostname --output=short-monotonic -b 0” when posting systemd Journal output anywhere on the Internet.

Hello, thanks for answering, but I have reason to believe that the wekan is not the problem, but apparmor service on the computer is. So I’m not going to meddle with wekan, 'cos it is clear that the systemd apparmor service is not starting.
Does anybody know how to repair apparmor?

Thanks

And those reasons are … ?

'cos it is clear that the systemd apparmor service is not starting.

apparmor service is starting just fine. Its task is to parse apparmor profiles which it does.

Does anybody know how to repair apparmor?

The only evidence you show is that some profiles failed to parse correctly. And they could be those profiles that are missing (like snap.wekan.caddy), because if profile definition fails parsing, it is not loaded into kernel. In which case you need to repair these profile that come with your application.

Unfortunately apparmor_parser does not print the name of file that fails. You could run

sudo strace -f -o /tmp/apparmor.log /lib/apparmor/apparmor.systemd reload

and upload /tmp/apparmor.log to https://susepaste.org

Hello, thank for answering. I belioeve the whole apparmor process is failing. here is the output

service apparmor status× apparmor.service - Load AppArmor profiles
     Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Thu 2022-09-01 07:38:29 CEST; 2min 8s ago
    Process: 522 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
   Main PID: 522 (code=exited, status=1/FAILURE)


Sep 01 07:38:29 shuttloj apparmor.systemd[879]: Found reference to variable run, but is never declared
Sep 01 07:38:29 shuttloj apparmor.systemd[888]: Found reference to variable run, but is never declared
Sep 01 07:38:29 shuttloj apparmor.systemd[892]: Found reference to variable run, but is never declared
Sep 01 07:38:29 shuttloj apparmor.systemd[897]: Found reference to variable run, but is never declared
Sep 01 07:38:29 shuttloj apparmor.systemd[898]: Found reference to variable run, but is never declared
Sep 01 07:38:29 shuttloj apparmor.systemd[899]: Found reference to variable run, but is never declared
Sep 01 07:38:29 shuttloj apparmor.systemd[522]: Error: At least one profile failed to load
Sep 01 07:38:29 shuttloj systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Sep 01 07:38:29 shuttloj systemd[1]: apparmor.service: Failed with result 'exit-code'.
Sep 01 07:38:29 shuttloj systemd[1]: Failed to start Load AppArmor profiles.

strace:

strace -f -o /tmp/apparmor.log /lib/apparmor/apparmor.systemd reload
Restarting AppArmor
Reloading AppArmor profiles 
Found reference to variable run, but is never declared
Found reference to variable run, but is never declared

...     (this comes more than 50 times)


Found reference to variable run, but is never declared
Error: At least one profile failed to load

Has anybody any ideas?

Help appreciated

apparmor_parser returns an error, but it should have loaded all profiles that were parsed correctly. You can verify with aa-status.

strace:

strace -f -o /tmp/apparmor.log /lib/apparmor/apparmor.systemd reload
...
Found reference to variable run, but is never declared
...     (this comes more than 50 times)

That is a lot and sounds like every profile fails to load.

Has anybody any ideas?

Not without seeing file generated by strace.

@arvidjaar, you might be right!

the following post https://forum.snapcraft.io/t/solved-permission-denied-in-general-ubuntu-19-10-snap-2-42-5/15161
suggested that there is a problem with profile loading.

It is Ubuntu, but the problem can be seen in my autit.log (see below, on susepaste)

Paste of

grep -i denied /var/log/audit/audit.log 

https://susepaste.org/86979062

How can I update the profile?

I tried to reinstall snapd, but the guys on opensuse repos are having troubles of their own, the snappy repo is not reachable at the moment, so I can’t continue reinstalling at the moment

Reinstalling snapd, now the repo worked, but the problem persists.

snap install wekan2022-09-01T11:56:25+02:00 INFO Waiting for automatic snapd restart...
error: cannot perform the following tasks:
- Setup snap "wekan" (1998) security profiles for auto-connections (cannot setup profiles for snap "wekan": cannot load apparmor profiles: exit status 1
apparmor_parser output:
Found reference to variable run, but is never declared
Found reference to variable run, but is never declared
Found reference to variable run, but is never declared
Found reference to variable run, but is never declared
Found reference to variable run, but is never declared
Found reference to variable run, but is never declared
)

what can I do?

For the last time - provide file generated by strace.

Hello

I tried to upload sudo strace -f -o /tmp/apparmor.log /lib/apparmor/apparmor.systemd reload

many times, but the generated file is over 8mb long with almost 10.000 lines.
Susepaste.org and pastebin both don’t accept it, they crash. I tried it 5 times.
What do you want me to do? Paste only a portion or what?

Can you provide compressed file? Providing partial content may help, but the point is to identify at least one profile that fails to load so it can be checked more closely.

I can’t find a way to use a pastebin for a file. Please use this link, this is on my groupware. It is the .gz compressed file.
I hope you can find anything within there. Help appreciated.
Thanks

OK, sorry, I went blind earlier and missed obvious.

 # ls -l /etc/apparmor.d/tunables
...
-rw-r--r-- 1 root root  694  7. Aug 2019  global
-rw-r--r-- 1 root root  759  8. Mai 07:41 global.rpmnew
...

You have outdated file “global” which does not include definition of “run” variable. Replace it with the correct version

mv /etc/apparmor.d/tunables/global.rpmnew /etc/apparmor.d/tunables/global

and check /etc/apparmor.d for any other files with rpmnew suffix and do the same.

Yes, that was it! Thanks very much, now it starts and all seems well (how simple…)