LeePen | fsmithred: Hi. I have got to the cause of #422. | 15:55 |
---|---|---|
LeePen | apparmor. After `sudo aa-teardown', libreoffice will start normally. | 15:55 |
LeePen | Can you fix it in /etc/apparmor.d/local? | 15:56 |
fsmithred | I can. When I tried that, it didn't work. | 15:57 |
fsmithred | I'll try it again. | 15:58 |
LeePen | There is a typo in /etc/apparmor.d/usr.lib.libreoffice.program.oospash | 16:12 |
LeePen | It has oopslash rather than oosplash. | 16:13 |
mason | An appropriate typo, all told. | 16:14 |
LeePen | I wouldn't disagree! | 16:18 |
LeePen | Not sure it is the cause though, I think it is just a label. | 16:20 |
LeePen | But I know nothing about apparmor, except for rrq and I have spent 6 hours chasing a non-existent segfault! | 16:21 |
mason | LeePen: I've got a friend who was involved with AppArmor's initial design, and I'd be happy to float him questions if that'd be useful from time to time. | 16:27 |
fsmithred | LeePen, those files are empty | 16:27 |
mason | Oh, it's on the live ISO... Hrm. I guess that'll make it easier to reproduce. | 16:29 |
LeePen | Yes, I saw that. Where do they come from? They aren't part of a package AFAICS. | 16:29 |
LeePen | mason: thanks. | 16:29 |
fsmithred | also, I don't have aa-complain command | 16:29 |
fsmithred | also don't have directories that debian wiki says I should have | 16:34 |
fsmithred | how about if I purge apparmor? That's easy - just add it to the purge list in live-sdk build. | 16:35 |
LeePen | I have never used it, so I would be happy for it not to be there. | 16:37 |
LeePen | Any counter views? | 16:37 |
fsmithred | I found a post where someone else had the same problem. 2 years ago, and still no answer. | 16:41 |
LeePen | Yes, I found a couple too. | 16:42 |
LeePen | I don['t see why the live iso trips apparmor, but normal installation doesn't. | 16:42 |
fsmithred | LeePen, another problem I had was when I tried it on a live-usb with persistence - I couldn't get the desktop to come up, and the console had "Authentication error" a bunch of times. | 16:48 |
fsmithred | so I'm guessing something in the live arrangement doesn't agree with apparmor | 16:49 |
fsmithred | ok, from the changelog: Don't load AppArmor policy when running in a Debian Live environment | 16:51 |
fsmithred | that uses overlayfs (Closes: #922378) | 16:51 |
fsmithred | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922378 | 16:52 |
fsmithred | The root cause of the problem is that the storage stack set up by | 16:53 |
fsmithred | live-boot with overlayfs is not supported by our AppArmor policy at | 16:53 |
fsmithred | the moment. | 16:53 |
LeePen | Good find! | 16:55 |
fsmithred | ok, even easier: add 'apparmor=0' to the boot command | 16:55 |
LeePen | Seems so. | 16:57 |
mason | That seems like a good fix until there's workable policy - easy to undo should that time ever come. | 16:57 |
fsmithred | and that boot entry does not get carried over to the installed system, so no problem with having to undo it. | 16:58 |
LeePen | The fix for #922378 is only in the .service file :( | 17:01 |
LeePen | We can bug them to include it in the initscript too ;) | 17:01 |
fsmithred | that's just the fix to disable apparmor? | 17:01 |
LeePen | Yep | 17:02 |
LeePen | When using overlayfs | 17:02 |
fsmithred | we need to see if it's really fixed in ceres | 17:02 |
LeePen | Fixed in version apparmor/2.13.2-10 which is beowulf | 17:03 |
fsmithred | the changelog for that version says don't use apparmor in live | 17:04 |
LeePen | Yes, but it is only fixed in the service file, not the initscript. | 17:05 |
LeePen | It is fine, let's change the cmdline. | 17:05 |
LeePen | Yes, adding apparmor=0 to the boot command line fixes it for me. | 17:14 |
fsmithred | cool. While you were answering in mailing list, I posted it to the forum. | 17:17 |
LeePen | Presumably you will rebuild the live isos with that as the default? | 17:19 |
fsmithred | yes, will do that in a few minutes when the current build completes. | 17:29 |
fsmithred | I started one to purge apparmor, so I'll let it finish. | 17:30 |
fsmithred | replace apparmor and just disable it in next build. | 17:30 |
fsmithred | FTR, adding apparmor to the purge list in live-sdk did not get rid of it - it got purged and pulled in again as a Recommends for the kernel. | 17:38 |
LeePen | Good to know and not surprising: apparmour is enabled by default in buster. | 20:20 |
LeePen | At least you found a way round. | 20:20 |
Centurion_Dan | o/ | 22:32 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!