Hi Simon && Christian
Thanks for providing this report!
I was wondering... isn't this behaviour to be performed as a postrm
script by the package that carries the original apparmor profile, in
this case, ntp?
If we think about this for a moment, what we will end up with might be
removing and reinstalling an apparmor profile on every openntpd's
upgrade, which seems odd, instead of prunning ntp's currently attach
kernel policy running.
This seems also a good idea from the ntp's perspective, since It helps
restoring the system on a proper state (unloading stuff that is not
longer needed to be load such us a kernel loaded apparmor profile).
I might be missing something here, so please excuse and clarify.
Cheers,
Dererk
On 23/11/17 19:02, Simon Deziel wrote:
Package: openntpd
Version: 1:6.2p3-1
Severity: low
Hi,
When someone purges the ntp package to then install openntpd, it is
possible for ntp's Apparmor profile to remain loaded in the kernel after
the corresponding /etc/apparmor.d/ file was removed. This prevents
openntpd's from working or even detecting the old profile's file. For
all the details, please see the original bug as reported to Ubuntu [1].
Please consider applying the patch from Christian Ehrhardt [2] to ensure
a smoother transition from ntp to openntpd.
Thank you,
Simon
[1] https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1689585
[2] https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1689585/comments/13
--
BOFH excuse #154:
You can tune a file system, but you can't tune a fish (from most tunefs man
pages)
