For reference, here was the behavior on sys-apps/apparmor-2.13.4

-- Logs begin at Fri 2019-08-30 22:29:24 EDT, end at Sat 2020-10-10 10:21:31 EDT. --
Oct 07 23:36:51 ares systemd[1]: Starting AppArmor profiles...
Oct 07 23:36:51 ares systemd[1]: Finished AppArmor profiles.

I'm filing the bug on this package because it owns the service file.

Created attachment 664555 [details]
syslog around failed load

attached log around problem

someone in #apparmor suggested it could be related to a profile? I only have gentoo-installed profiles (i.e. from gentoo packages), i.e. sec-policy/apparmor-profiles and anything that would have been installed with my +apparmor global USE flag

sudo journalctl -b -a --no-pager | grep -A 50 -B 100 -i "failed to start apparmor" > syslog.txt

From #apparmor:

15:12 <jjohansen> aphysically: the load of most profiles is not usually atomic, so most of policy can load and if one fails, the whole unit still reports a failure
15:12 <jjohansen> Ubuntu saw the same error with the firejail profile
15:13 <jjohansen> it ships separate from apparmor and it uses the variable but it doesn't declare it or include any variable defines
15:13 <aphysically> I do have firejail on this system

I have firejail installed on this system; this could be a bug against the firejail package? Are you able to reproduce if you emerge firejail?

So you can use the following to check if a given profile is problematic:
apparmor_parser -QT <profile>

where <profile> is the individual profile or a directory

Unfortunately running on directories and the error messages in system logs don't say which profile is problematic, so we will need to go through profiles one by one to find them. I'm not sure if there should be a tracker bug to find the problematic ones that are packaged in Gentoo?

The difficulty in locating them led to an upstream bug to hopefully make this easier in the future:
https://gitlab.com/apparmor/apparmor/-/issues/123

I identified the problematic profile(s) with the following bash script

#!/bin/bash
for f in /etc/apparmor.d/*
do
  if [ ! -d "$f" ]; then
    echo "testing $f"
    sudo apparmor_parser -QT $f
  fi
done

I filed bug against firejail: https://bugs.gentoo.org/747859

Comment 6 Larry the Git Cow 2020-11-11 07:50:20 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f23fe664f064159ec4460c36c114ff5858c3033b

commit f23fe664f064159ec4460c36c114ff5858c3033b
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2020-10-14 17:36:50 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-11-11 07:50:10 +0000

    sys-apps/firejail: Version bump for CVEs, fixes, add proxy maintainer
    
    Version bump to address outstanding CVEs. Confirmed the current
    release includes the fixes for several open bugs, so closing those.
    
    Updated to address feedback in https://github.com/gentoo/gentoo/pull/17929
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Closes: https://bugs.gentoo.org/698062
    Closes: https://bugs.gentoo.org/747859
    Closes: https://bugs.gentoo.org/747613
    Closes: https://bugs.gentoo.org/747859
    Bug: https://bugs.gentoo.org/736816
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Closes: https://github.com/gentoo/gentoo/pull/17929
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 sys-apps/firejail/Manifest               |  1 +
 sys-apps/firejail/firejail-0.9.64.ebuild | 83 ++++++++++++++++++++++++++++++++
 sys-apps/firejail/metadata.xml           | 10 +++-
 3 files changed, 93 insertions(+), 1 deletion(-)