Dev1 Galaxy Forum / How disable apparmor?

Re: How disable apparmor?

dummy@example.com (humpty) — Sat, 11 Mar 2023 18:00:01 +0000

Altoid wrote:

---> Very strange all this did not show up on my previous query to aptitude. <---
A.

Yeh, I noticed that too, aptitude 'why' seems to only show the first one it finds.
This one is more useful;

apt-cache --installed rdepends dbus

and since a boat load of stuff depends on that list,
aptitude purge libapparmor1 (n) (don't press enter)
suggests about 100 others to remove.

Re: How disable apparmor?

dummy@example.com (Altoid) — Fri, 10 Mar 2023 20:53:02 +0000

Hello:

humpty wrote:

Altoid wrote:
..
But then you upgrade the kernel and there it is again.
What I always do is purge apparmor after the upgrade..
A.
What about holding the package; sudo apt-mark hold apparmor
or even pinning it ?
Would the upgrade still go through ?

Hmm ...
No idea.
Have not tried it but I don't see (?) why it shouldn't.

Yes, I guess I could pin it.
ie: the same way I do with pulseaudio and see what happens on the next upgrade.

Bear in mind that there are other apparmor related libraries which are/may be needed by other packages.

eg: libapparmor1

~$ aptitude why libapparmor1
i   stress-ng Depends libapparmor1 (>= 2.10)
~$

Edit:

It seems that there's more than stress-ng involved with libapparmor1.

~$ aptitude why libapparmor1
i   slim Depends dbus                    
i A dbus Depends libapparmor1 (>= 2.8.94)
~$

---> Very strange all this did not show up on my previous query to aptitude. <---

I have not used stress-ng in years, so I might as well get rid of it. and solve the issue.

We'll see how the pinning goes.

Best,

Re: How disable apparmor?

dummy@example.com (humpty) — Fri, 10 Mar 2023 20:08:49 +0000

Altoid wrote:

..
But then you upgrade the kernel and there it is again.
..What I always do is purge apparmor after the upgrade..
A.

What about holding the package; sudo apt-mark hold apparmor

or even pinning it ?

Would the upgrade still go through ?

Re: How disable apparmor?

dummy@example.com (GlennW) — Thu, 03 Nov 2022 05:58:36 +0000

So if i use security=none it should only be for SELinux, Smack, Tomoyo, and AppArmor ?

I think they are all kernel "security" modules. That way you can leave out the apparmor=on/off command from the boot line.

I don't know if there are any others.

Re: How disable apparmor?

dummy@example.com (andyp67) — Thu, 03 Nov 2022 02:33:31 +0000

Xwrapper.config running X as user

Re: How disable apparmor?

dummy@example.com (Head_on_a_Stick) — Thu, 03 Nov 2022 01:01:14 +0000

I think elogind is better than running X under root.

Doesn't seatd work in chimeara? I can get a Wayland session under Alpine with just that running. EDIT: with sway anyway.

Re: How disable apparmor?

dummy@example.com (andyp67) — Thu, 03 Nov 2022 00:50:11 +0000

I think this is the defacto or only way to do this;
I just done the above and could not startx from user, I forgot,
install xserver-xorg-legacy (provides suid root wrapper;)
then edit
/etc/X11/Xwrapper.config
allowed_users=anybody
needs_root_rights=yes

Re: How disable apparmor?

dummy@example.com (andyp67) — Thu, 03 Nov 2022 00:18:55 +0000

One more thing,
I don't have apparmor on my box and it ain't broke at all whatsoever.
I also dpkg --force-all -P elogind libelogind0 libpam-elogind libpolkit-agent-1-0 libpolkit-gobject-1-0 libpolkit-gobject-elogind-1-0 policykit-1 policykit-1-gnome
and then I apt-get download or dpkg -i libsystemd0
and it ain't broke at all whatsoever.
Did it today, Chimaera clean install, updates, security & updates & main, & kernel.
Previously I have played around with a live that I have made with refractasnapshot-base.
So I made a minimal console live, then on that live I put xserver-xorg-core etc which pulls in elogind etc. which I have purged and put libsystemd0 and checked apt-get and no problems at all.
I then put full-fat browser on which pulled in elogind again and I purged it again and browser quite fine.
I'm not saying what I do is correct but if supremely strict apt-get doesn't reply with a headache that's good.
Thank you.
I think apparmor and elogind are in the same barrel.

Re: How disable apparmor?

dummy@example.com (andyp67) — Wed, 02 Nov 2022 23:55:29 +0000

purge uninstall it
dpkg -P apparmor
I go no complaints at all whatsoever.
And copied the apparmor deb off the install media to my /root, so I got it at hand.
I today installed Chimaera minimal and kept apparmor on it and did a refractasnapshot-base live and put xserver-xorg-core on that.
I may have installed libapparmor1 for something, been busy.
Try it.

Re: How disable apparmor?

dummy@example.com (ralph.ronnquist) — Wed, 02 Nov 2022 21:53:54 +0000

I have "security=none" and

stuga% cat /sys/kernel/security/lsm ; echo
lockdown,capability,yama

i.e., "yama" belongs to the unavoidable default collection of Linux Security Modules
https://kernsec.org/wiki/index.php/Projects

Re: How disable apparmor?

dummy@example.com (Evenson) — Wed, 02 Nov 2022 15:20:59 +0000

GlennW wrote:

Evenson wrote:
Is it really needed to have boot command security=none ?
... was not aware of this extra step.
the security module could be apparmor, selinux, ...
ref. https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html
"Examples include SELinux, Smack, Tomoyo, and AppArmor."
so, security= , requires none.

Thanks, i read up on this today from the link you posted. Ive no need for any of these except yama via sysctl.
kernel.yama.ptrace_scope=2
So if i use security=none it should only be for SELinux, Smack, Tomoyo, and AppArmor ?

Re: How disable apparmor?

dummy@example.com (GlennW) — Tue, 01 Nov 2022 23:58:10 +0000

Evenson wrote:
Is it really needed to have boot command security=none ?
... was not aware of this extra step.

the security module could be apparmor, selinux, ...

ref. https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html

"Examples include SELinux, Smack, Tomoyo, and AppArmor."

so, security= , requires none.

Re: How disable apparmor?

dummy@example.com (Altoid) — Tue, 01 Nov 2022 16:13:38 +0000

Hello:

Evenson wrote:

Is it really needed to have boot command security=none ?
... was not aware of this extra step.

You would be if you had taken the time to read the whole thread. 8^D

Altoid wrote:

Check if you have some other stuff called tomoyo, another gift from the Debian devs.
You have to add security=none to the kernel command line to avoid that one.

Best,

Re: How disable apparmor?

dummy@example.com (Evenson) — Tue, 01 Nov 2022 13:55:59 +0000

ralph.ronnquist wrote:

In any case, I'd agree that apt-get purge apparmor is best here, and that it also seems to need a security=none setting (or similar) on the boot command line to make the kernel bypass apparmor kernel code.

Is it really needed to have boot command security=none ?
Ive purged apparmor, was not aware of this extra step.

Re: How disable apparmor?

dummy@example.com (ralph.ronnquist) — Tue, 01 Nov 2022 06:56:29 +0000

Hah! I'm clearly full of wrong! Not only that, but there is also the possible overrides of insserv that can be used an misused in all sorts of ways.