Am Mittwoch, 31. August 2016, 08:36:39 CEST schrieb Michal Kubecek:
> On Tue, Aug 30, 2016 at 11:32:38PM +0200, Christian Boltz wrote:
> > Michal, do you know if there were AppArmor-related patches added
> > between the previous 3.11 Evergreen kernel and the (AFAIK)
> > SLE-based 3.12 kernel that could explain this problem?
> In general, Evergreen 13.1 kernel is mostly the same as SLE12-SP1.
> There are some differences but those are mostly fixes needed to build
> of architectures and drivers/features not built in SLE (none of them
> is AppArmor related, IIRC). And, of course, the configs are quite
> different but the AppArmor related options seem to be the same.
> As for the AppArmor related changes, there are 20 mainline commits
> between 3.11 and 3.12:
> 01e2b670aa89 apparmor: convert profile lists to RCU based locking

It turned out this commit (and another one) introduced the bug I 

Currently I'm testing a fixed kernel on 42.2 beta, and it seems to fix 
the problem (at least my reproducer [1] no longer triggers the issue).

You can find the fixed kernel package for 42.2 at 

The relevant patch is 
see the link diff at

John also created a branch for Kernel:stable at
with the same patch, but I didn't test it yet.

I wouldn't be too surprised if the patch also works for kernel 3.12 ;-)

BTW: Until fixed kernels are available, the workaround is to restart
Apache after reloading the AppArmor profiles.


Christian Boltz

[1] The reproducer I'm using is:
    - reboot (to get a clean starting state, probably superfluous)
    - rcapache2 restart
    - rcapparmor reload
    - access a web page with your browser
    - find change_hat failures for HANDLING_UNTRUSTED_INPUT in

Wer News ├╝ber ein Webinterface liest, filmt auch die Tageszeitung,
um sie auf dem Fernseher anzuschauen.        [Henning Schlottmann]

Evergreen mailing list

Reply via email to