Control: reassign -1 apparmor Control: severity -1 serious Control: retitle -1 AppArmor policy breaks confined software when running under live-boot + overlayfs Control: found -1 2.13.2-9
Hi, Cesar Etxeberria: > Everything works perfectly but libreoffice doesn't start (signal > 11). I can reproduce this with LibreOffice and Evince. The root cause of the problem is that the storage stack set up by live-boot with overlayfs is not supported by our AppArmor policy at the moment. Fixing the root cause of this problem: - will require quite some work; I've started working on this some time ago and will definitely finish it at some point for several reasons, including the fact that Tails needs this to be fixed; - is too involved to happen in time for Buster. So my plan for Buster is to disable apparmor.service when running under live-boot + overlayfs, just like Ubuntu already does in their live images for the exact same reason. This will prevent loading policy at boot time, which will avoid such breakage, except for packages that load policy themselves; thankfully, the nature of these packages (libvirt, LXC) makes it so they have little chance to be used in a Live environment, so I think that'll be good enough; and if it's not good enough, worst case we can patch the Live builds configuration to disable the AppArmor LSM entirely, by passing apparmor=0 on the kernel command line. Cheers, -- intrigeri
