[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

*** This bug is a duplicate of bug 1728120 *** https://bugs.launchpad.net/bugs/1728120 ** This bug has been marked a duplicate of bug 1728120 apparmor_parser is missing fix for rule down grades -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Yes, that stings but wasn't unexpected. It will take awhile to get features going back up stream but in the long term this will actually benefit apparmor, as it is forcing the development of fine grained policy version which has been needed for year but never a top priority. -- You received this

Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

> The kernel patch causing the issue has been reverted. So 4.14-rc7 should work as pre 4.14-rc2 Great! (Modulo Linus' commit message…) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

** Changed in: apparmor (Ubuntu) Status: Confirmed => Invalid ** Changed in: apparmor (Ubuntu Xenial) Status: Confirmed => Invalid ** Changed in: apparmor (Ubuntu Zesty) Status: Confirmed => Invalid ** Changed in: apparmor (Ubuntu Artful) Status: Confirmed => Invalid

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Okay thankyou everyone for your feedback. The kernel patch causing the issue has been reverted. So 4.14-rc7 should work as pre 4.14-rc2 This bug has become a dumping ground for multiple issues so I am going to create new bugs to track the issues individually and close this bug down. Please see

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

@John: O.K., I think this excerpt from kern.log is what you might be looking for. ** Attachment added: "kern.log.txt" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4995556/+files/kern.log.txt -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

@Doug, can you attach your breakage? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Further to my comment #32: That setup then breaks lots of stuff if I subsequently boot a normal default kernel (i.e. 4.4.0-96-generic). I'm going back to just booting with apparmor disabled. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

I integrated the PPA, but under Ubuntu 16.04.3 LTS no updates are available. The package *apparmor* 2.10.95-0ubuntu2.7 is installed. ``` $ sudo add-apt-repository ppa:apparmor-dev/apparmor-devel $ sudo apt-get update ``` -- You received this bug notification because you are a member of Ubuntu

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

@Paul, sorry no. At least not unless you are doing some very specific pinning of the kernel features abi as I suggested as a solution in #19. You will need the userspace fix in the ppa until ubuntu can land an SRU of either patch r3700 or a full SRU of the current maintenance releases. With the

Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Dear Christian, Am 24.10.2017 um 19:14 schrieb Christian Boltz: >> ... apparmor="DENIED" operation="create" ... family="unix" > sock_type="stream" > > With the pinned-down feature set, you probably "lost" support for unix > rules. Sorry, I have no clue about the internals. I just use what’s

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

> ... apparmor="DENIED" operation="create" ... family="unix" sock_type="stream" With the pinned-down feature set, you probably "lost" support for unix rules. In theory, apparmor_parser will downgrade those rules to "network unix," - but in practise a bug in apparmor_parser prevented it.This bug

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

@John, thank youf or the patch, but maybe I misunderstood it. Applying that patch to Linus’ master branch, should fix the regression, right? No user space change needed, correct? ``` $ git log --oneline -2 4a4a4a7 apparmor: fix regression in network mediation when using feature pinning 6cff0a1

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

@John: That patch works great, thanks. On kernel 4.14-rc6 + patch, I re-did the stuff from my comment #22, which in turn was implementing one of the methods from your comment #19. This time it worked. -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

The attachment "Fix regression in network mediation" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user

Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Dear John, On 10/24/17 12:55, John Johansen wrote: > On 10/24/2017 02:32 AM, Paul Menzel wrote: >> I’d really like to try the Linux kernel fix. Can a get it from >> somewhere? >> > commit 8baea25455c08173713fdbceac99309192518ffb > Author: John Johansen > Date: Mon

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Several people have asked for the patch ** Patch added: "Fix regression in network mediation" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4990797/+files/0001-apparmor-fix-regression-in-network-mediation-when-us.patch -- You received this bug notification

Re: [Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

On 10/24/2017 02:32 AM, Paul Menzel wrote: > I’d really like to try the Linux kernel fix. Can a get it from > somewhere? > commit 8baea25455c08173713fdbceac99309192518ffb Author: John Johansen Date: Mon Oct 23 08:51:24 2017 -0700 apparmor: fix regression in

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

I’d really like to try the Linux kernel fix. Can a get it from somewhere? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED"

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Alright userspace packages with the parser fix are available in https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel zesty is still building. So to recap which solutions are needed where. ubuntu kernel + apparmor 2.11.X - no patches needed upstream 4.14-rc6 or earlier - policy

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Rocko: thanks for the patch, just so people know this is a work around patch which adjusts policy instead of fixing the bug in the parser. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

@Doug, thanks for testing, I've managed to track down a bug in the kernel, I'll try to get a fix merged before 4.14 final, also I have apparmor userspace fixes building in the apparmor ppa and will post those up for further test once they are done -- You received this bug notification because

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

If it helps anyone, I've got 4.14-rc5 and apparmor working. I've posted a patch at the duplicate bug https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1724450. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

@John: I tried your suggestion on my main 16.04.3 test server. I edited /etc/apparmor/parser.conf, keeping an "original copy" first. And used "the hand edited features 4.14 feature file attached". It made things worse, as in addition to mysql and libvirt not starting, now the network doesn't

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Yes. Ideally we would grab the upstream maintenance releases with the patches in them. But upstream hasn't had time to release them yet. It should happen this week -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

John, It sounds like we should backport r3700 to all Ubuntu releases? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create"

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

This bug is annoying in that there isn't a single switch to toggle to work around it. You can pin the feature file but getting the feature file you want requires some editing, or booting into a 4.13 upstream kernel (at which point you loose the other features landed in 4.14). To pin the features

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

John wrote: > Ubuntu's parser is missing upstream commit r3700, resulting in this failure. Is there any boot option that would allow Ubuntu mainline kernels to work? For my own work, and as mentioned in comment #3, I am compiling with "# CONFIG_SECURITY_APPARMOR is not set". -- You received

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Ubuntu's parser is missing upstream commit r3700, resulting in this failure. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED"

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Here you go. This is from a kernel built on 4.14-rc4 right after boot where dhclient is failing. ** Attachment added: "sbin.dhclient" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+attachment/4974238/+files/sbin.dhclient -- You received this bug notification because you

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Could someone who is having this issue also attach a profile cache file for the profile that is failing? So I can verify what your local compiles are doing. you can grab the binary cache file out of /etc/apparmor.d/cache/sbin.dhclient or compile it with apparmor_parser -o output_file

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

@Doug, I forgot to mention this in my above explanation the reason you see this with 4.14-rc2 and not 4.14-rc1 is because there was a problem with the security tree merge and Linus ended up pulling the security changes in between rc1 and rc2. -- You received this bug notification because you

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

err make that 4.14 not 4.13 in my above explanation -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create"

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

@Doug, not a kernel regression and not an incompatible kernel change either. The kernel does support the older abi, however the compiled policy being sent to the kernel is for the new abi that the kernel is now advertising as being supported. The kernel advertises its supported feature set and

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

As of 4.13 the upstream kernel does support basic socket mediation which does include unix sockets. This denial is not due to fine grained unix socket mediation. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

>This isn't really an *Ubuntu* issue per se as we've never claimed to support apparmor profiles with non-Ubuntu kernels. So I think the problem is that kernel team maintains a PPA of mainline kernels and often will ask users to check stuff with mainline kernel when there are bugs that come up.

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

And FWIW the /sbin/dhclient and /usr/lib/NetworkManager/nm-dhcp-helper errors are also family="unix" denying create operations. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

This isn't really an *Ubuntu* issue per se as we've never claimed to support apparmor profiles with non-Ubuntu kernels. I do think it is interesting that there are 'unix' denials on a kernel that isn't supposed to support unix rules. John, can you comment on this? -- You received this bug

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu Zesty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu.

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

> I've found that it's more than just cups blows up, some networking > related items (DHCP client, network manager IIRC) also explode. yes, and libvirtd and mysql. I was not aware of "teardown". I'll try it when I get a chance. -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later

I've personally confirmed this with both artful and xenial userspace with 4.14-rc4. A temporary solution other than compiling without apparmor is to do teardown/stop # /etc/init.d/apparmor teardown # /etc/init.d/apparmor stop -- You received this bug notification because you are a member of