Hello,

I am running Ubuntu 12.04 (kernel 3.2-x86_64) and have installed apparmor-profiles and apparmor-utils and apparmor is already installed.

When I try aa-enforce /etc/apparmor.d/*, it throws that error:

Setting /etc/apparmor.d/bin.ping to enforce mode.
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

Also when I try /etc/init.d/apparmor start, nothing happens.
When I try apparmor_status, it says that apparmor is not loaded

I have searched on other forums but nothing looks clear on how to solve that problem.

Thanks for your help

aa-enforce should be followed by a program name such as /bin/ping (not by the names of aa config files).

Hi, thanks for your help.
I tried aa-enforce /bin/ping but it resulted in the exact same message:


Setting /bin/ping to enforce mode.
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

Does anyone have a suggestion?
Thanks a lot

In SELinux, which is a similar Mandatory Access Control system, the file system provides support for extended permission fields that are used by SELinux, such as the role and user. I wasn't aware the Apparmor used any sort of functionality like this, but the error message seems to indicate that it does. If you haven't read it, here is a link to a comprehensive introduction to Apparmor that may get delve into this aspect of its functionality.

Thanks for your link. I had read it before and it was very useful and clear.

When I open proc/mounts, i get this:

rootfs / rootfs rw 0 0
/dev/root / ext4 rw,relatime,barrier=1,data=ordered 0 0
devtmpfs /dev devtmpfs rw,size=253536k,nr_inodes=63384,mode=755 0 0
none /proc proc rw,nosuid,nodev,noexec,relatime 0 0
none /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
none /sys/kernel/debug debugfs rw,relatime 0 0
none /sys/kernel/security securityfs rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0
none /run tmpfs rw,nosuid,noexec,relatime,size=50740k,mode=755 0 0
none /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
none /run/shm tmpfs rw,nosuid,nodev,relatime 0 0


Is there one of them that I should mount to get Apparmor to work?

Actually, I happened to partially solve the problem by mistake.

My server is a ubuntu Cloud server with kernel 3.2-x86_64. In my cloud control panel, I tried to switch to the deprecated 2.6.36-x86_64
and apparmor partially worked. It was able to be loaded.

Then I switched again to kernel 3.2 and this time, Apparmor partially worked too.

When I try to restart apparmor with /etc/init.d/apparmor restart, I get this:

/etc/init.d/apparmor restart
* Reloading AppArmor profiles
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from /etc/apparmor.d/bin.ping (/etc/apparmor.d/bin.ping line 28): profile /bin/ping network rules not enforced


Should I patch the kernel with AppArmor 2.4 compatibility patch? The problem is it seems to be for an old version of kernel..

Also, was it potential harmful to the current system if I temporarily switched to a deprecated kernel?

Thanks a lot