LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-31-2012, 03:01 PM   #1
alex123456
LQ Newbie
 
Registered: Jun 2012
Posts: 12

Rep: Reputation: Disabled
Why is apparmor throwing that error?


Hello,

I am running Ubuntu 12.04 (kernel 3.2-x86_64) and have installed apparmor-profiles and apparmor-utils and apparmor is already installed.

When I try aa-enforce /etc/apparmor.d/*, it throws that error:

Setting /etc/apparmor.d/bin.ping to enforce mode.
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.


Also when I try /etc/init.d/apparmor start, nothing happens.
When I try apparmor_status, it says that apparmor is not loaded

I have searched on other forums but nothing looks clear on how to solve that problem.

Thanks for your help
 
Old 11-01-2012, 04:43 AM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 775
Blog Entries: 2

Rep: Reputation: 199Reputation: 199
aa-enforce should be followed by a program name such as /bin/ping (not by the names of aa config files).
 
Old 11-01-2012, 09:05 AM   #3
alex123456
LQ Newbie
 
Registered: Jun 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by linosaurusroot View Post
aa-enforce should be followed by a program name such as /bin/ping (not by the names of aa config files).
Hi, thanks for your help.
I tried aa-enforce /bin/ping but it resulted in the exact same message:


Setting /bin/ping to enforce mode.
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.


Does anyone have a suggestion?
Thanks a lot

Last edited by alex123456; 11-01-2012 at 09:08 AM.
 
Old 11-01-2012, 09:37 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
In SELinux, which is a similar Mandatory Access Control system, the file system provides support for extended permission fields that are used by SELinux, such as the role and user. I wasn't aware the Apparmor used any sort of functionality like this, but the error message seems to indicate that it does. If you haven't read it, here is a link to a comprehensive introduction to Apparmor that may get delve into this aspect of its functionality.
 
Old 11-01-2012, 09:43 AM   #5
alex123456
LQ Newbie
 
Registered: Jun 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Thanks for your link. I had read it before and it was very useful and clear.

When I open proc/mounts, i get this:

rootfs / rootfs rw 0 0
/dev/root / ext4 rw,relatime,barrier=1,data=ordered 0 0
devtmpfs /dev devtmpfs rw,size=253536k,nr_inodes=63384,mode=755 0 0
none /proc proc rw,nosuid,nodev,noexec,relatime 0 0
none /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
none /sys/kernel/debug debugfs rw,relatime 0 0
none /sys/kernel/security securityfs rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0
none /run tmpfs rw,nosuid,noexec,relatime,size=50740k,mode=755 0 0
none /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
none /run/shm tmpfs rw,nosuid,nodev,relatime 0 0


Is there one of them that I should mount to get Apparmor to work?
 
Old 11-01-2012, 10:35 AM   #6
alex123456
LQ Newbie
 
Registered: Jun 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Actually, I happened to partially solve the problem by mistake.

My server is a ubuntu Cloud server with kernel 3.2-x86_64. In my cloud control panel, I tried to switch to the deprecated 2.6.36-x86_64
and apparmor partially worked. It was able to be loaded.

Then I switched again to kernel 3.2 and this time, Apparmor partially worked too.

When I try to restart apparmor with /etc/init.d/apparmor restart, I get this:

/etc/init.d/apparmor restart
* Reloading AppArmor profiles
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from /etc/apparmor.d/bin.ping (/etc/apparmor.d/bin.ping line 28): profile /bin/ping network rules not enforced



Should I patch the kernel with AppArmor 2.4 compatibility patch? The problem is it seems to be for an old version of kernel..

Also, was it potential harmful to the current system if I temporarily switched to a deprecated kernel?

Thanks a lot
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nagios+RHEL5 throwing error aceone Red Hat 4 05-03-2011 08:31 AM
[SOLVED] If condition is throwing error vishnukumar Programming 3 11-01-2010 08:09 AM
SQUINT throwing error's ... sco1984 Suse/Novell 1 07-23-2008 11:46 PM
AppArmor Error house0fdust Linux - Security 2 08-16-2007 11:47 AM
SuSE YOU - throwing error neocookie Linux - Software 3 10-25-2004 02:58 PM


All times are GMT -5. The time now is 09:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration