Apparmor in minimal template not working

In qubes 4.1, should apparmor be automatically enabled after setting it in the minimal template?

Here is my list of packages in a minimal template:
qubes-core-agent-passwordless-root
zenity
pulseaudio-qubes
qubes-core-agent-networking
qubes-mgmt-salt-vm-connector
qubes-core-agent-nautilus
gnome-terminal
nautilus
gnome-themes-extra
htop
xfce4-notifyd
mousepad
apparmor
apparmor-utils
apparmor-profiles
apparmor-profiles-extra
apparmor-notify
auditd
audispd-plugins

After reboot I check aa-status | cat /proc/cmdline:

~ aa-status
apparmor module is loaded.
apparmor filesystem is not mounted.

~ cat /proc/cmdline
root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 xen_scrub_pages=0

Everything works in the main Debian 11 template and checking cat /proc/cmdline sets apparmor=1 security=apparmor:

~ cat /proc/cmdline
root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 xen_scrub_pages=0  apparmor=1 security=apparmor

Should I manually install kernelopts?
As far as I remember, on my second machine, after installing apparmor in the minimal template, it immediately worked without the need to install kernelopts.

Can you confirm the output of:

[user@dom0 ~]$ qvm-prefs QUBENAME kernelopts

Related read: www.kicksecure.com/wiki/Qubes/AppArmor

In the default debian-11 template, the output is:

qvm-prefs debian-11 kernelopts
'the output is empty'

In Debian-11 minimal template:

qvm-prefs debian-11-minimal kernelopts
'the output is empty'

At the same time, in the standard debian-11, the apparmor=1 security=apparmor kernel parameters are set:

~ cat /proc/cmdline
root=/dev/mapper/dmroot ro nomodeset console=hvc0 rd_NO_PLYMOUTH rd.plymouth.enable=0 plymouth.enable=0 xen_scrub_pages=0  apparmor=1 security=apparmor

There are none in the minimal template.

Try to also set the parameters in dom0:

qvm-prefs debian-11-minimal kernelopts "apparmor=1 security=apparmor"

Then restart the template

I know these options can be set manually, but shouldn’t qubes 4.1 set these options automatically when apparmor is installed? On my other machine, when I installed apparmor in the minimal template, these options were automatically set if I’m not mistaken. How are these options set in the standard debian-11 template if the qvm-prefs kernelopts options are empty?

Debian has enabled AppArmor by default since the buster release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the dom0 (not VM) kernel by default. Therefore this step is still required even though Kicksecure ™ is based on a recent enough Debian version.

(source linked in previous reply)

Okay, I understand that cubes use the dom0 kernel, but the debian-11 default template also uses the dom0 kernel, and it also has an empty response when asked for qvm-prefs kernelopts , which means they are set by the kernel itself, right? It also doesn’t explain the fact that on another machine these parameters were automatically set in my minimal template. Thanks for the replies, just trying to figure it out.

Try to add features to your minimal template:

qvm-feature debian-11-minimal apparmor 1
qvm-feature debian-11-minimal supported-service.apparmor 1