Ben Caradoc-Davies: >> Ben Caradoc-Davies wrote: >>> And what I would like to know is how the fscking apparmor module got >>> loaded in the first place, given that I have the apparmor service >>> masked: >>> # ls -al /etc/systemd/system/apparmor.service >>> lrwxrwxrwx 1 root root 9 Dec 8 11:24 >>> /etc/systemd/system/apparmor.service -> /dev/null >>> Yet: >>> # aa-status >>> apparmor module is loaded. >> You've masked a systemd service. But "module" probably refers to some >> kernel module here, which is enabled by default since a while in >> Debian Unstable.
More precisely "module" in this context is to be understood as in Linux Security Module (LSM). To fully disable the AppArmor LSM, pass apparmor=0 on the kernel command line (security= might be needed on top of that, didn't check recently, sorry). Marking/disabling apparmor.service merely prevents policy loading on boot and might not be what you want. Cheers, -- intrigeri
