Am Mittwoch, 31. August 2016, 08:36:39 CEST schrieb Michal Kubecek:
> On Tue, Aug 30, 2016 at 11:32:38PM +0200, Christian Boltz wrote:
> > Michal, do you know if there were AppArmor-related patches added
> > between the previous 3.11 Evergreen kernel and the (AFAIK)
> > SLE-based 3.12 kernel that could explain this problem?
> In general, Evergreen 13.1 kernel is mostly the same as SLE12-SP1.
> There are some differences but those are mostly fixes needed to build
> of architectures and drivers/features not built in SLE (none of them
> is AppArmor related, IIRC). And, of course, the configs are quite
> different but the AppArmor related options seem to be the same.
> As for the AppArmor related changes, there are 20 mainline commits
> between 3.11 and 3.12:
> 01e2b670aa89 apparmor: convert profile lists to RCU based locking
It turned out this commit (and another one) introduced the bug I
Currently I'm testing a fixed kernel on 42.2 beta, and it seems to fix
the problem (at least my reproducer  no longer triggers the issue).
You can find the fixed kernel package for 42.2 at
The relevant patch is
see the link diff at
John also created a branch for Kernel:stable at
with the same patch, but I didn't test it yet.
I wouldn't be too surprised if the patch also works for kernel 3.12 ;-)
BTW: Until fixed kernels are available, the workaround is to restart
Apache after reloading the AppArmor profiles.
 The reproducer I'm using is:
- reboot (to get a clean starting state, probably superfluous)
- rcapache2 restart
- rcapparmor reload
- access a web page with your browser
- find change_hat failures for HANDLING_UNTRUSTED_INPUT in
Wer News über ein Webinterface liest, filmt auch die Tageszeitung,
um sie auf dem Fernseher anzuschauen. [Henning Schlottmann]
Evergreen mailing list