Where to file bug reports is non-obvious. I created this account for the sole purpose of creating this bug. Reportsbugs for Debian BTS is defunct. ubuntu-bugs won't install becuase it's not provided with Zorin. AI gave me three different URLs to Github for Zorin bug reporting and all were 404's.
Title
AppArmor fails after upgrade due to missing tunables/abstractions, causing systemd degraded state
Summary
After upgrading Zorin OS (Ubuntu 24.04 / Noble base), apparmor.service fails to start and causes systemd to report a degraded system state. The failure is due to missing core AppArmor include files under /etc/apparmor.d/ (e.g. tunables/global, tunables/home, abstractions/base, abstractions/totem, abstractions/gstreamer).
This appears to be caused by preserved conffiles and partial directory state during upgrade, leaving /etc/apparmor.d incomplete while profiles still reference those includes.
Environment
- Distro: Zorin OS (Core)
- Zorin version: 18.x (current updates applied)
- Ubuntu base: 24.04 LTS (Noble)
- Architecture: amd64
- AppArmor version: 4.0.1 (Ubuntu package)
- systemd: default for Noble
Symptoms
After upgrade:
$ systemctl --failed
● apparmor.service loaded failed failed Load AppArmor profiles
From journalctl -b -u apparmor:
AppArmor parser error: Could not open 'tunables/global'
AppArmor parser error: Could not open 'tunables/home'
AppArmor parser error: Could not open 'abstractions/base'
AppArmor parser error: Could not open 'abstractions/totem'
AppArmor parser error: Could not open 'abstractions/gstreamer'
Error: At least one profile failed to load
Because AppArmor treats any profile load failure as fatal, this leaves the system in a permanently degraded state until manual repair.
Root Cause (as observed)
- During upgrade, dpkg preserves existing conffiles under
/etc/apparmor.d - Core directories (
tunables/,abstractions/) can end up partially missing - Profiles continue to reference includes that no longer exist
- Reinstalling
apparmor,apparmor-profiles, andapparmor-profiles-extradoes not always restore missing files unless conffiles are forcibly replaced or files are manually extracted from.debpackages
This results in a broken AppArmor install without obvious guidance to the user.
Recovery (manual, for reference)
System was recovered only after:
-
Extracting
.debpackages manually:dpkg-deb -x apparmor_*.deb /tmp/aa-extract dpkg-deb -x apparmor-profiles*.deb /tmp/aa-prof-extract -
Restoring missing directories:
rsync -a /tmp/aa-extract/etc/apparmor.d/ /etc/apparmor.d/ rsync -a /tmp/aa-prof-extract/etc/apparmor.d/ /etc/apparmor.d/ -
Creating stub files for optional local includes:
touch /etc/apparmor.d/local/usr.bin.irssi touch /etc/apparmor.d/local/usr.sbin.apt-cacher-ng -
Restarting AppArmor:
systemctl restart apparmor
After this, systemctl --failed returned no units.
Expected Behavior
After upgrade:
- AppArmor should start successfully, or
- Missing includes should be restored automatically, or
- AppArmor should degrade gracefully (e.g. skip broken profiles rather than failing the service)
At minimum, the system should not silently end up in a degraded state due to missing core files.
Why this matters
- The failure is non-obvious and time-consuming to diagnose
- Many users will simply disable AppArmor to “fix” the issue
- This undermines security defaults and user trust
- The issue is reproducible on upgraded systems with older AppArmor conffiles
Suggested Improvements
- Ensure
/etc/apparmor.d/tunables/and/etc/apparmor.d/abstractions/are always fully restored during upgrades - Consider using
include if existsfor optional abstractions - Add a post-upgrade sanity check for AppArmor includes
- Improve error messaging when core includes are missing
Additional Notes
I understand this may be partly upstream (Ubuntu/AppArmor), but Zorin users will encounter it during normal upgrades, and Zorin-specific profiles (e.g. zorin-*) are also affected when core abstractions are missing.
Happy to provide logs or test fixes if needed.