[apparmor] 2.5.1 build failure on Arch

John Johansen john.johansen at canonical.com
Tue Oct 19 18:31:52 BST 2010

On 10/19/2010 09:50 AM, andrew thomas wrote:
>  On 10/18/2010 11:49 AM, John Johansen wrote:
>> On 10/15/2010 09:48 PM, andrew thomas wrote:
>>> I am trying to build 2.5.1 on Arch Linux and am getting an error similar to this build:
>>> http://launchpadlibrarian.net/57686487/buildlog_ubuntu-natty-amd64.apparmor_2.5.1-0ubuntu1_FAILEDTOBUILD.txt.gz
>>> It gets through autogen, configure, and make in libapparmor.
>>> Then make in utils, but fails make in parser.
>>> Here is the tail end from
>>> $ cd parser&&   /usr/bin/make
>>> http://pastebin.ubuntu.com/514290/
>>> The error message does state that: Kernel needs AppArmor 2.4 compatibility patch.
>>> But, I believe that I applied the proper patches to the kernel.
>>> Any ideas?
>> Hey Andrew it actually built but is failing during the caching function tests.  These are run against the current kernel, and it isn't finding the AppArmor 2.4 interface.
>> You can test for your self by looking for the file /sys/kernel/security/apparmor/profiles if it doesn't exist you don't have the AppArmor 2.4 compatibility patch on your kernel.
>> The patch isn't actually necessary but several things will not work if it is not present.  The parser won't do compiled policy caching, the init scripts won't work, and aa-status and a few other commands won't work either.
>> Basically anything that requires introspection of the load policy or supported kernel features doesn't work correctly.  Every thing else should.
>> If you are building 2.5.1 on a buildd with a kernel that doesn't support the AppArmor 2.4 interface, then I suggest you disable the test in the Makefile with a small patch.
> I did look in /sys/kernel/security and it is empty.
This says to me that the LSM is probably not configured correctly.

> When I compiled the kernel, I applied these two patches ( http://pastebin.ubuntu.com/515768/ & http://pastebin.ubuntu.com/515769/  ) that originally were ubuntu-maverick.git-0d8f737f1c8ad8415b3d5589caf63dee3c1b3d6f.patch & ubuntu-maverick.git-8cb3e0f8ad669be1e2027cbafb58fa7cd1928f76.patch which  I  modified so they also created security/apparmor/include/net.h & security/apparmor/net.c and would apply cleanly. When I use this on natty to compile the kernel, apparmor (2.5.1~rc1) works as expected, but when I compile on ArchLinux, using the natty-git source, /sys/kernel/security is empty.  Any clues to what I am doing wrong? Trying to get apparmor to work on arch may be beyond my abilities, I am sorry if I am wasting your time.
What config options do you have set under security?  These will affect whether AppArmor is compiled and whether it is the default LSM.  Since there can only be a single lsm active at a time another LSM can block apparmor.

specifically you need

in make menuconfig this will look like
y AppArmor

You probably want to set

in menuconfig it is "AppArmor boot parameter default value"

this tells the apparmor module to register it self by default at boot, if it is 0 you must specify apparmor=1 on the kernel command line for apparmor to take effect even if apparmor is set as the default security module.

The other config options that can affect apparmor are
SECURITY=y        menuconfig "y Enable different security models"
SECURITYFS=y      menuconfig "y Enable the securityfs filesystem"
SECURITY_NETWORK=y menuconfig "y Socket and Networking Security Hooks"
SECURITY_PATH=y   menuconfig "y Security hooks for pathname based access control"

DEFAULT_SECURITY=apparmor  menuconfig "Default security module"
this one is not required and can be overriden on the kernel command line,
so if apparmor is not the default lsm you would use


If this doesn't work, can you attach your config and point me at a tree so
I can build and test the kernel, and figure out what is wrong


More information about the AppArmor mailing list