I have set up Pi-hole and Unbound on the latest raspios_full_arm64-2023-02-22 for a friend. Following the Unbound guide I enabled a dedicated log file. There is a note which states:
On modern Debian/Ubuntu-based Linux systems, you'll also have to add an AppArmor exception for this new file so unbound can write into it.
I ran the command listed and received an error.
pi@pihole:/etc/apparmor.d/local $ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
It's not clear from the guide what is covered by a "modern Debian/Ubuntu-based Linux system". I would expect Pi OS to be one such example.
I think the error is telling me that AppArmor isn't a concern on this OS, and Unbound appears to be working and logging fine in any case.
I welcome any clarification or extra steps needed to determine if this command applies to an Unbound Pi OS install. Happy to open a Github issue or make a PR with updated wording if it helps.
Debian 10/Buster or higher would enable AppArmor by default.
However, any Debian based distro may decide to ship with AppArmor disabled instead.
A while back, Raspberry Pi OS's Linux kernel did not even have support for AppArmor and had to be recompiled by yourself if you wanted AppArmor support.
I think that has changed at some time with RPi OS's Buster release, but even with kernel support available, I'm unaware whether RPi OS comes with AppArmor installed and enabled by default.
And I fail to find any official statement from the RPi Foundation regarding AppArmor.
It should be easy enough to check on a given system, though:
Apologies for the delayed reply. Thanks for the info.
$ cat /etc/rpi-issue
Raspberry Pi reference 2022-09-06
[...]
$ hostnamectl
[...]
Operating System: Debian GNU/Linux 11 (bullseye)
Kernel: Linux 6.1.19-v8+
Architecture: arm64
$ sudo aa-enabled
No - disabled at boot.
$ sudo aa-status
apparmor module is loaded.
apparmor filesystem is not mounted.
Am I correct to say that if I run the apparmor_parser command mentioned on the Unbound guide and get this error (because it is disabled as here), I can simply ignore that step and move on? Or is some alternative command needed (this all relates to the logging info at the end of the guide).
Mine appears to be working without having created an AppArmor exception, presumably because it's not controlling anything as it's not enabled.