Bug 129675

Summary: Apparmor cannot start due to module subdomain.ko or related stuff
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Henk Weebers <h.weebers>
Component: AppArmorAssignee: Tony Jones <tonyj>
Status: RESOLVED FIXED QA Contact: Keiran Haggerty <khaggerty>
Severity: Normal    
Priority: P5 - None    
Version: Final   
Target Milestone: ---   
Hardware: 32bit   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: output fronm one of my boxes
dmsg after command 'rcusbdomain start '

Description Henk Weebers 2005-10-20 10:55:35 UTC 
Apparmor cannot start. All nececary rpm's are installed. subdaomain is in 
place but cannot be loaded. 
 
groot:~ # rcsubdomain start  
FATAL: Error inserting subdomain  
(/lib/modules/2.6.13-15-default/kernel/security/subdomain/subdomain.ko):  
Resource temporarily unavailable  
Loading SubDomain module                                             failed  
- could not start SubDomain                                          failed  
groot:~ #
Comment 1 Dominic W Reynolds 2005-10-20 16:20:55 UTC 
Is this a clean installation of 10.0 - as opposed to an upgrade? Can you please report whether the capability module is loaded?
Comment 2 Henk Weebers 2005-10-24 20:01:21 UTC 
This is an upgrade. Capability module is loaded. Still apparmor cannot be started
Comment 3 Dominic W Reynolds 2005-10-24 20:12:12 UTC 
This can be worked around by ensuring that the capability module is not loaded at boot time.

Edit the file: /etc/sysconfig/kernel 

Ensure that the configuration entry:
   MODULES_LOADED_ON_BOOT=""
does _not_ contain an entry for the capability module.

If it does remove the text (leaving the parameter blank if nothing else is there) and then save the file. During the next boot process this module will not be loaded.

To fix this for the currently running system run the following as root:

rmmod capability
rcsubdomain restart
Comment 4 Henk Weebers 2005-10-24 20:42:38 UTC 
I executed your proposals. But still:

centraal:~ # cd /etc/sysconfig/
centraal:/etc/sysconfig # mcedit kernel

centraal:/etc/sysconfig # rmmod capability
centraal:/etc/sysconfig # rcsubdomain restart
FATAL: Error inserting subdomain (/lib/modules/2.6.13-15-default/kernel/security                                            /subdomain/subdomain.ko): Resource temporarily unavailable
Loading SubDomain module                                             failed
- could not start SubDomain                                          failed
centraal:/etc/sysconfig #
Comment 5 Dominic W Reynolds 2005-10-26 14:38:02 UTC 
Can you perform the following and attach the output?

Thanks for your help.

1) cat /proc/cmdline
2) uname -a
3) lsmod output before AND after running rmmod capability
4) dmesg
Comment 6 Henk Weebers 2005-10-26 17:39:44 UTC 
Created attachment 55601 [details]
output fronm one of my boxes
Comment 7 Dominic W Reynolds 2005-10-26 18:12:41 UTC 
Sorry I missed a step. 
I need the dmesg output from after you run "rcsubdomain start".

So:
  rcusbdomain start
  dmesg > dmesg.txt


Sorry about that. Thanks again for the help.
Comment 8 Henk Weebers 2005-10-26 18:45:44 UTC 
Created attachment 55612 [details]
dmsg after command 'rcusbdomain start '
Comment 9 Tony Jones 2005-10-31 21:45:55 UTC 
Hi Henk.

Thanks for providing us your dmesg, but the kernel messages are obviously not present.  All I can think is that the ide errors are occuring with such frequency to flush them.

I'm assuming 'modprobe subdomain' (with MODULES_LOADED_ON_BOOT="") fails also.   Can you confirm.   Also, if it fails, what happens if you try 'modprobe capability'?

I realise this is frustrating but it is unclear at this point why the module is not loading for you.   I don't see any other LSM modules loaded in your lsmod samples which is what normally causes the message you provided.  

This is a unmodified SuSE kernel, correct?

As an example,  the following is what I see on my SL10 system with MODULES_LOADED_ON_BOOT="".

sles10smp: # uname -a
Linux ermintrude 2.6.13-15-smp #1 SMP Tue Sep 13 14:56:15 UTC 2005 i686 i6  
sles10smp: # modprobe subdomain
sles10smp: # rmmod subdomain
sles10smp: # modprobe capability
sles10smp: # modprobe subdomain
FATAL: Error inserting subdomain (/lib/modules/2.6.13-15-smp/kernel/security/subdomain/subdomain.ko): Resource temporarily unavailable
sles10smp: # dmesg | tail -4
SubDomain: SubDomain (version 1.2-13.42r5011imnx_suse) initialized
SubDomain: SubDomain protection removed
Capability LSM initialized
SubDomain: Unable to load SubDomain


If you cannot get clean logging from dmesg, you may want to try adding a line like this to syslog.conf (or the equiv if you are using syslogng)

kern.*  -/var/log/kern

and then restart syslogd (/etc/init.d/syslog restart)


Thanks for your patience and cooperation.
Comment 10 Henk Weebers 2005-11-01 07:43:05 UTC 
Hello Tony,
I think I found the bug myself. I still had the service avguard loaded and started. In SuSE 9.3 and before, dazuko had to be loaded before capability. So MODULES_LOADED_ON_BOOT="dazuko capability".
Your college asked me to removed capability from that list, or at least, that is what I understood. You asked me for MODULES_LOADED_ON_BOOT="". So I emptied it.
Now I discovered that dazuko should be removed too. 

Now module subdomain will be loaded as it should do!!
By by to antivir!

Thanks
Comment 11 Seth R Arnold 2005-11-02 17:46:51 UTC 
Putting all the keywords in one comment field to assist bugzilla searches: dazuko apparmor immunix subdomain antivir MODULES_LOADED_ON_BOOT