Package: dh-apparmor
Version: 2.7.0-1
Severity: important
Tags: patch
Hi,
the postinst snippet generated by dh_apparmor unconditionally runs
"aa-status --enabled". On Debian systems, aa-status may not be
available. The attach patch takes care of this possible situation.
However, even with that patch applied, the generated packages won't
ever reload profiles, due to #661153. This is a different problem, but
one that, if solves, may also solve the bug I am reporting. Maybe we
should make the dh_apparmor postinst snippet not depend on aa-status
at all, and instead do something that would be roughly(?) equivalent,
in the current state of Debian unstable, that is check that
/sys/kernel/security/apparmor/ exists, and grep /proc/cmdline for
apparmor=1?
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
=== modified file 'debian/debhelper/postinst-apparmor'
--- debian/debhelper/postinst-apparmor 2012-01-12 22:55:48 +0000
+++ debian/debhelper/postinst-apparmor 2012-04-08 07:39:18 +0000
@@ -16,7 +16,7 @@
}
# Reload the profile, including any abstraction updates
- if aa-status --enabled 2>/dev/null; then
+ if type aa-status >/dev/null && aa-status --enabled 2>/dev/null; then
apparmor_parser -r -T -W "$APP_PROFILE" || true
fi
fi
