"Expanded Security Maintenance for Applications" shown every time I log on!

Bo Berglund bo.berglund at gmail.com
Sun Mar 12 22:26:28 UTC 2023 

On Sun, 12 Mar 2023 14:11:03 -0500, Keith <keithw at caramail.com> wrote:

>What does the following show?
>
>$ ls -l /etc/apparmor.d/tunables

ls -l /etc/apparmor.d/tunables
total 56
-rw-r--r-- 1 root root  624 sep 27  2018 alias
-rw-r--r-- 1 root root  376 sep 27  2018 apparmorfs
-rw-r--r-- 1 root root  804 sep 27  2018 dovecot
-rw-r--r-- 1 root root  720 maj 19  2020 global
-rw-r--r-- 1 root root  983 sep 27  2018 home
drwxr-xr-x 2 root root 4096 feb 21  2021 home.d
-rw-r--r-- 1 root root 1391 maj 19  2020 kernelvars
-rw-r--r-- 1 root root  631 sep 27  2018 multiarch
drwxr-xr-x 2 root root 4096 feb 21  2021 multiarch.d
-rw-r--r-- 1 root root  405 maj 19  2020 securityfs
-rw-r--r-- 1 root root  819 maj 19  2020 share
-rw-r--r-- 1 root root  378 maj 19  2020 sys.dpkg-dist
-rw-r--r-- 1 root root  868 sep 27  2018 xdg-user-dirs
drwxr-xr-x 2 root root 4096 feb  3  2020 xdg-user-dirs.d


>Do you have a /etc/apparmor.d/tunables/proc file and is it readable? 

No, does not exist...

>It's just an ASCII text file and like all the other files in that 
>directory should have 644 perms. If that file is not there or is 
>corrupted then you should reinstall the apparmor package.
>
>$ sudo apt install --reinstall apparmor

....
Fetched 494 kB in 0s (5 041 kB/s)
Preconfiguring packages ...
(Reading database ... 295205 files and directories currently installed.)
Preparing to unpack .../apparmor_2.13.3-7ubuntu5.1_amd64.deb ...
Unpacking apparmor (2.13.3-7ubuntu5.1) over (2.13.3-7ubuntu5.1) ...
Setting up apparmor (2.13.3-7ubuntu5.1) ...
AppArmor parser error for /etc/apparmor.d/lsb_release in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for /etc/apparmor.d/nvidia_modprobe in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'

Note: The dir listing above does not change...
No proc file anywhere here.

>After that, I would disable the livepatch service, then remove the 
>livepatch snap.
>
>$ sudo snap remove --purge canonical-livepatch

$ sudo snap remove --purge canonical-livepatch
snap "canonical-livepatch" is not installed

>
>If the snap removes cleanly, then try re-enabling the livepatch service 
>with the pro command and it should download and install the snap again, 
>hopefully this time without the apparmor errors.

$ sudo pro enable livepatch
One moment, checking your subscription first
Installing canonical-livepatch snap
Stderr: error: cannot perform the following tasks:
- Setup snap "canonical-livepatch" (164) security profiles (cannot setup
profiles for snap "canonical-livepatch": cannot load apparmor profiles: exit
status 1
apparmor_parser output:
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap-update-ns.canonical-livepatch in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatch in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatchd
in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.configure in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.connect-plug-etc-update-motd-d
in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.remove in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.disconnect-plug-etc-update-motd-d
in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
)


Stderr: error: cannot perform the following tasks:
- Setup snap "canonical-livepatch" (164) security profiles (cannot setup
profiles for snap "canonical-livepatch": cannot load apparmor profiles: exit
status 1
apparmor_parser output:
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap-update-ns.canonical-livepatch in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatch in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatchd
in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.configure in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.disconnect-plug-etc-update-motd-d
in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.connect-plug-etc-update-motd-d
in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.remove in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
)


Stderr: error: cannot perform the following tasks:
- Setup snap "canonical-livepatch" (164) security profiles (cannot setup
profiles for snap "canonical-livepatch": cannot load apparmor profiles: exit
status 1
apparmor_parser output:
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap-update-ns.canonical-livepatch in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatch in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatchd
in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.configure in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.disconnect-plug-etc-update-motd-d
in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.connect-plug-etc-update-motd-d
in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.remove in
/etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
)

Seems to repeat the last output above several times, then gives up.

>
>If the problem is fixed by reinstalling the apparmor package, then you 
>may want check to see if there are any other missing files, file 
>corruption, or not fully installed packages on your systems.

But it is NOT fixed...
How do I check this?

>Apart from fsck which should be run at boot time to check the integrity 
>of the filesystem, the following commands will check the integrity of 
>the package database:
>
>$ sudo apt-get check (updates package cache and checks for broken 
>dependencies)

I thought apt-get was deprecated....
Still:

$ sudo apt-get check
Reading package lists... Done
Building dependency tree
Reading state information... Done


>$ sudo dpkg -C (checks database consistency and looks for packages that 
>may not be fully or correctly installed and suggests what to do to fix 
>the problem)

THis does nothing, immediately returns...
>
>$ sudo dpkg -V (performs md5sum verification on files installed from 
>packages provided that any installed package comes with a file 
>containing the md5sums of its file contents to compare with.)

Skipped this

>You can also list individual packages to verify as the above command can 
>take awhile as it calculates md5sums on thousands of installed files.
>
>$ sudo dpkg -V apparmor (will quickly tell you if there is integrity 
>issues with the apparmor package files.)

$ sudo dpkg -V apparmor
??5?????? c /etc/apparmor.d/tunables/proc
??5?????? c /etc/apparmor.d/tunables/sys

>Note that -V currently only reports md5sum verification, not whether a 
>file has had its permissions changed from when it was first installed.

Still no joy...

Is livepatch or apparmor somehow depending on the desktop?
I am not using the standard Ubuntu desktop on this device, but it was set up a
while ago and I think it is MATE, how can I find out from a PuTTY or VNC
session?
(the system is in a box and not used interactively).


-- 
Bo Berglund
Developer in Sweden

More information about the ubuntu-users mailing list