Apparmor / Firejail error during upgrade

support-setup-and-config
#1

Briefly describe your issue below:
Below is the error during a synaptic reload, mark all upgrades, and apply:

Installing new version of config file /etc/apparmor.d/abstractions/kde ...
Installing new version of config file /etc/apparmor.d/abstractions/vulkan ...
Installing new version of config file /etc/apparmor.d/tunables/share ...
Reloading AppArmor profiles
AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/firejail-default at line **165: Could not open 'local/firejail-local'**
Skipping profile in /etc/apparmor.d/disable: usr.bin.thunderbird
**AppArmor parser error for /etc/apparmor.d/firejail-default in /etc/apparmor.d/firejail-default at line 165: Could not open 'local/firejail-local'**
Skipping profile in /etc/apparmor.d/disable: usr.bin.thunderbird
Error: At least one profile failed to load

To me this appears to be only directed towards Thunderbird. But what worries me is that there is no ‘firejail-local’ anywhere:

Here is Line 165 they are talking about:

I don’t know if the ‘firejail-local’ never got created because of the #, or If it is another problem. Any Ideas would be appreciated.

What version of Parrot are you running? (Parrot 4.5.1,)(4.19.0-parrot1-20t-amd64)(Desktop)(AMD64)

What method did you use to install Parrot? (Debian GTK)

Configured to multiboot with other systems? (no)

If there are any similar issues or solutions, link to them below:

If there are any error messages or relevant logs, post them below:

2 Likes
(Kisama) #2

same problem

(Izhaq) #4

I think, this is some kind of “bug” in parrot os that is not well studied. I am also having the same problem since my last upgrade. In my case it shows almost the identical error message, and additionally, a message of not single apparmor profile is loaded. Apparmor service keeps failing to be activated everytime when system is initialized, or checked thereafter by “systemctl status armor.service” and “journalctl _PID=(number)” to specifically follow the error message that journalctl shows and in attempt to fix the problem of failure of apparmor service. I hope parrot os staff is already paying attention to this probem as I think it is a serious problem.

(dmknght) #5

This error msg showed for me as well. It is firejail syntax problem (our we are missing files).

1 Like
(Izhaq) #6

mmm, if this is a firejail problem, then it is a persistent problem I guess. Because I had also a problem with a firejail after upgrade a long time ago. I could not launch libreoffice in no way until I found out that “apparmor” was “commented (to be ignored)” in one of the configuration files related with libreoffice profile (I cannot remember which file it was). Now we have this problem after the upgrade. If it is related with firejail syntax then could someone who is more sophisticated than me show what exactly is wrong with the firejail syntax, in its special relation with apparmor in parrot os, which keeps raising errors after upgrades sometimes.

#7

thanks we are looking into it.

2 Likes
(TheHashasin) #8

Exactly same issues broken from new ISO release,reverting back to old SS now as I have exhausted just about all I can think of and find on the Net. Issues with permissions have tried the suggestions no dice. Breaks a lot of services! Libreoffice will not launch,I had an issue with this in a prior build and it was sorted pretty fast.

(TheHashasin) #9

I had that very same Issue Izhaq,and I believe it is the type of error. They were on it very quickly.

(Izhaq) #10

Hello Hashashin, have you managed to fix it by yourself?

(TheHashasin) #11

Hello mate,
No not at all,I tried various suggestions IE edit checked path variable IE roots path should contain /usr/local/sbin blaaa blaaa my path is correct.
Tried to fix Apparmor,no dice. I have exactly the same issues as the above with Libreoffice Module not starting,same lines on startup as others in threads ie could not load apparmor profiles! Seems also an error in parsor for Firejail? Also error with atk-bridge,i have corrected. Just have to wait on a fix because there are quite a few with the same issues and different hardware.

Edit: Ran live version on stick latest Beta 4.6 Apparmor loads! Still an issue with Libre not starting? Cannot run live session Anonymous Tor Network,and ATK-bridge still an issue? ATK fixed and still Issue on Tor Network.

#12

It appears to me an issue with apparmor. I have it disabled on my laptop install while firejail is working fine.

If I enable apparmor, I am presented with the issues the 4.6rc4 ISO is having. This leads me to believe that the issue lies within apparmor.

1 Like
Error al actualizar repositorios
(Lorenzo "Palinuro" Faletra) #13

it seems to be a firejail bug (a bug in the way the firejail package was compiled and integrated into apparmor)

i am working on it but your help is appreciated

4 Likes
#15

You’re welcome. I’m not well versed in either apparmor nor firejail but I’ll try what I can to help.

1 Like
(TheHashasin) #16

Much appreciated palinuro Kudos :wink: Firejail fix worked and Apparmor now functions after update!
LibreOffice still broken… Shall try and manually fix.

#17

I reformatted and updated again today, had the same issue, but also noticed this. Sorry, thats all of the log I got copied, but it looks like dkpm removed firejail-local because of the comnented line on 165, just a guess. I’ll try it again tonight.

AppArmor parser error for /etc/apparmor.d/firejail-default in /etc/apparmor.d/firejail-default at line 165: Could not open 'local/firejail-local'
Removing obsolete conffile /etc/apparmor.d/local/firejail-local ...```
(rigamaroo) #18

I encountered this same problem when updating an otherwise fresh install of Parrot. The symptom was that launching LibreOffice would cause the system to hang indefinitely. I managed to solve the issue and restore LibreOffice functionality by editing line 165 of the following file:

“/etc/apparmor.d/firejail-default”

I placed a space between the “#” and the “include…” which solved the issue on my system. It seems like an apparmor parser bug to me. The parser seemed to be reading the line despite the comment token, which then prevented the apparmor service from starting due to the nonexistence of “local/firejail-local”.

4 Likes
#19

That was a great find. I had the LibreOffice problem also, hard shut down was the only way out. Best install, and best working system I’ve had since the last part of 4.4.
Edit: Although upon further examination, firejail-local was removed again?

Setting up libjsr305-java (0.1~+svn49-11) ...
Setting up firejail (0.9.58.2-1parrot4) ...
 
Configuration file '/etc/apparmor.d/firejail-default'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
   N or O  : keep your currently-installed version
     D     : show the differences between the versions
     Z     : start a shell to examine the situation
The default action is to keep your current version.
*** firejail-default (Y/I/N/O/D/Z) [default=N] ? n
Installing new version of config file /etc/firejail/default.profile ...
Installing new version of config file /etc/firejail/disable-common.inc ...
Installing new version of config file /etc/firejail/disable-devel.inc ...
Installing new version of config file /etc/firejail/disable-interpreters.inc ...
Installing new version of config file /etc/firejail/disable-passwdmgr.inc ...
Installing new version of config file /etc/firejail/disable-programs.inc ...
Installing new version of config file /etc/firejail/disable-xdg.inc ...
Installing new version of config file /etc/firejail/firefox-common-addons.inc ...
Installing new version of config file /etc/firejail/firejail.config ...
Installing new version of config file /etc/firejail/server.profile ...
Installing new version of config file /etc/firejail/whitelist-common.inc ...
Installing new version of config file /etc/firejail/whitelist-var-common.inc ...
Removing obsolete conffile /etc/apparmor.d/local/firejail-local ...
Setting up libip4tc0:amd64 (1.8.2-4) ...
Setting up whois (5.4.2) ...
Setting up rhythmbox-data (3.4.3-2) ...
1 Like
#20

One more thing, then I’ll leave it alone. I noticed that in several other Apparmor and firejail files, there are several other instances of the # having no space between itself and the next word. If this caused a problem once, perhaps again?

/etc/Apparmor/parser.conf
/etc/apparmor.d/firejail-default
/etc/apparmor.d/firejail-default.dpkg-dist

(Lorenzo "Palinuro" Faletra) #21

not putting a space after the comment character does not represent an issue for the profile, and the line is being ignored anyways

even if it is not a consistent rule, we try to mark our own commented rules by keeping them without the space to distinguish them from those rules commented by default in the upstream profiles.

we may find better ways to mark this difference in the future, but the missing space was just a quick way to distinguish things for me since i was the only firejail maintainer for more than one year before people acquired interest on it and started lurking under the hood

1 Like
(Pedro) #22

I’ve been having the same problem with Libreoffice and from what I could find out there it seems to be something wrong with firejail. A guy running Fedora posted that after debugging and checking the source, firejail seemed to be “rejecting whitelisting paths like /usr/lib{,32,64}.” So he was told to strace and see if the paths were covered by the /etc/firejail/whitelist-var-common.inc .

Apparently, he got somewhere with it, but I lack the knowlege to try myslef. I hope this can help in anyway.

2 Likes