I think it’s still worth fixing
systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● apparmor.service loaded failed failed Load AppArmor profiles
In a test VM I’ve Debian 12.9 and Hestia 1.9.3 and I’ve no problems with apparmor.
❯ cat /etc/debian_version
12.9
❯ systemctl status apparmor.service --no-pager -l
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; preset: enabled)
Active: active (exited) since Fri 2025-02-28 02:02:37 CET; 33min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Main PID: 434 (code=exited, status=0/SUCCESS)
CPU: 35ms
Feb 28 02:02:37 h19.lab.27a.net systemd[1]: Starting apparmor.service - Load AppArmor profiles...
Feb 28 02:02:37 h19.lab.27a.net apparmor.systemd[434]: Restarting AppArmor
Feb 28 02:02:37 h19.lab.27a.net apparmor.systemd[434]: Reloading AppArmor profiles
Feb 28 02:02:37 h19.lab.27a.net systemd[1]: Finished apparmor.service - Load AppArmor profiles.
❯ apparmor_status
apparmor module is loaded.
11 profiles are loaded.
11 profiles are in enforce mode.
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/{,usr/}sbin/dhclient
lsb_release
man_filter
man_groff
named
nvidia_modprobe
nvidia_modprobe//kmod
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/dhclient (518) /{,usr/}sbin/dhclient
/usr/sbin/named (557) named
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
In my case I don’t have the policy bwrap-userns-restrict, indeed it is removed during upgrade to 1.9.3 if abi 4.0 is not detected (Debian 12 is using 3.0):
❯ grep -A3 'abi 4' /usr/local/hestia/install/upgrade/versions/1.9.3.sh
# Remove jailbash app armour file if abi 4.0 is no installed
if [ ! -f /etc/apparmor.d/abi/4.0 ]; then
rm -f /etc/apparmor.d/bwrap-userns-restrict
fi
Maybe you still have the backup you did bwrap-userns-restrict.backup and apparmor is trying to load it.
Yes, I still had the file bwrap-userns-restrict.backup, but it was fixed(as in the topic above), i.e. the line was commented out, after the update it somehow changed (). In general, I deleted the file itself, I think that this is the right decision. Well, if you are doing well, then we will close the topic. Thanks!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.