After updating to 1.9.3 Debian apparmor.service loaded failed

Community Support Install & Set-Up
1

I think it’s still worth fixing

systemctl --failed
  UNIT             LOAD   ACTIVE SUB    DESCRIPTION           
● apparmor.service loaded failed failed Load AppArmor profiles
2

In a test VM I’ve Debian 12.9 and Hestia 1.9.3 and I’ve no problems with apparmor.

❯ cat /etc/debian_version
12.9

❯ systemctl status apparmor.service --no-pager -l
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; preset: enabled)
     Active: active (exited) since Fri 2025-02-28 02:02:37 CET; 33min ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
   Main PID: 434 (code=exited, status=0/SUCCESS)
        CPU: 35ms

Feb 28 02:02:37 h19.lab.27a.net systemd[1]: Starting apparmor.service - Load AppArmor profiles...
Feb 28 02:02:37 h19.lab.27a.net apparmor.systemd[434]: Restarting AppArmor
Feb 28 02:02:37 h19.lab.27a.net apparmor.systemd[434]: Reloading AppArmor profiles
Feb 28 02:02:37 h19.lab.27a.net systemd[1]: Finished apparmor.service - Load AppArmor profiles.

❯ apparmor_status
apparmor module is loaded.
11 profiles are loaded.
11 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   named
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/dhclient (518) /{,usr/}sbin/dhclient
   /usr/sbin/named (557) named
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

In my case I don’t have the policy bwrap-userns-restrict, indeed it is removed during upgrade to 1.9.3 if abi 4.0 is not detected (Debian 12 is using 3.0):

❯ grep -A3 'abi 4' /usr/local/hestia/install/upgrade/versions/1.9.3.sh
# Remove jailbash app armour file if abi 4.0 is no installed
if [ ! -f /etc/apparmor.d/abi/4.0 ]; then
        rm -f /etc/apparmor.d/bwrap-userns-restrict
fi

Maybe you still have the backup you did bwrap-userns-restrict.backup and apparmor is trying to load it.

3

Yes, I still had the file bwrap-userns-restrict.backup, but it was fixed(as in the topic above), i.e. the line was commented out, after the update it somehow changed (). In general, I deleted the file itself, I think that this is the right decision. Well, if you are doing well, then we will close the topic. Thanks!