** Changed in: apparmor (Ubuntu)
Status: In Progress => Fix Committed
** Description changed:
+ impact: people upgrading from Jaunty to Karmic will see some services fail to
start due to outdated profiles not correctly being loaded (specifically, this
happens for bind9).
+ how the bug has been addressed: backported upstream fixes that use ctime
instead of mtime when examining profiles for if they are out of date compared
to the cache files.
+ regression potential: low: the change is small, there are upstream tests, and
the test case below demonstrates the fix.
+
+ TEST CASE: (all commands should exit 0: the touch "touch" will rewind
"modified" but not "changed" time, so a fixed parser will still regenerate the
cache.)
+ $ sudo -s
+ # cat >/etc/apparmor.d/tmp.test <<EOF
+ #include <tunables/global>
+ /tmp/test {
+ #include <abstractions/base>
+ }
+ EOF
+ # sleep 1
+ # service apparmor reload
+ # test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
+ # THEN=$(mktemp -t now-XXXXXX)
+ # sleep 1
+ # touch -t 200901010101 /etc/apparmor.d/tmp.test
+ # apparmor_parser -r -W /etc/apparmor.d/tmp.test
+ # test /etc/apparmor.d/cache/tmp.test -nt $THEN
+ # apparmor_parser -R /etc/apparmor.d/tmp.test
+ # rm /etc/apparmor.d/{,cache}/tmp.test $THEN
+
+ Original bug description:
+
Binary package hint: bind9
If you have installed apparmor, and install bind9, this fails to start
complaining about access denied (openssl.cnf file the first time,
named.pid in other configurations).
The problem is that bind9 doesn't install an apparmor profile.
If you install apparmor-profiles packages, the problem solves.
Then, maybe it has to have a dependency (or install an apparmor bind
profile specifically).
In my case, it has been detecting after upgrading from 9.04 to 9.10.
-
- TEST CASE: (all commands should exit 0: the touch "touch" will rewind
"modified" but not "changed" time, so a fixed parser will still regenerate the
cache.)
- $ sudo -s
- # cat >/etc/apparmor.d/tmp.test <<EOF
- #include <tunables/global>
- /tmp/test {
- #include <abstractions/base>
- }
- EOF
- # sleep 1
- # service apparmor reload
- # test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
- # THEN=$(mktemp -t now-XXXXXX)
- # sleep 1
- # touch -t 200901010101 /etc/apparmor.d/tmp.test
- # apparmor_parser -r -W /etc/apparmor.d/tmp.test
- # test /etc/apparmor.d/cache/tmp.test -nt $THEN
- # apparmor_parser -R /etc/apparmor.d/tmp.test
- # rm /etc/apparmor.d/{,cache}/tmp.test $THEN
** Also affects: apparmor (Ubuntu Karmic)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Lucid)
Importance: Medium
Assignee: Kees Cook (kees)
Status: Fix Committed
** Changed in: apparmor (Ubuntu Karmic)
Status: New => Fix Committed
** Changed in: apparmor (Ubuntu Karmic)
Importance: Undecided => Medium
** Changed in: apparmor (Ubuntu Lucid)
Status: Fix Committed => Fix Released
** Changed in: apparmor (Ubuntu Karmic)
Assignee: (unassigned) => Kees Cook (kees)
** Description changed:
impact: people upgrading from Jaunty to Karmic will see some services fail to
start due to outdated profiles not correctly being loaded (specifically, this
happens for bind9).
how the bug has been addressed: backported upstream fixes that use ctime
instead of mtime when examining profiles for if they are out of date compared
to the cache files.
regression potential: low: the change is small, there are upstream tests, and
the test case below demonstrates the fix.
- TEST CASE: (all commands should exit 0: the touch "touch" will rewind
"modified" but not "changed" time, so a fixed parser will still regenerate the
cache.)
- $ sudo -s
- # cat >/etc/apparmor.d/tmp.test <<EOF
+ TEST CASE: (all commands should exit 0: the "touch" will rewind
+ "modified" but not "changed" time, so a fixed parser will still
+ regenerate the cache.)
+
+ Run with sudo:
+ #!/bin/bash
+ set -e
+ cat >/etc/apparmor.d/tmp.test <<EOF
#include <tunables/global>
/tmp/test {
#include <abstractions/base>
}
EOF
- # sleep 1
- # service apparmor reload
- # test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
- # THEN=$(mktemp -t now-XXXXXX)
- # sleep 1
- # touch -t 200901010101 /etc/apparmor.d/tmp.test
- # apparmor_parser -r -W /etc/apparmor.d/tmp.test
- # test /etc/apparmor.d/cache/tmp.test -nt $THEN
- # apparmor_parser -R /etc/apparmor.d/tmp.test
- # rm /etc/apparmor.d/{,cache}/tmp.test $THEN
+ sleep 1
+ service apparmor reload
+ test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
+ THEN=$(mktemp -t now-XXXXXX)
+ sleep 1
+ touch -t 200901010101 /etc/apparmor.d/tmp.test
+ apparmor_parser -r -W /etc/apparmor.d/tmp.test
+ set +e
+ test /etc/apparmor.d/cache/tmp.test -nt $THEN
+ rc=$?
+ set -e
+ apparmor_parser -R /etc/apparmor.d/tmp.test
+ rm /etc/apparmor.d/{,cache}/tmp.test $THEN
+ if [ $rc -ne 0 ]; then
+ echo FAIL
+ exit 1
+ fi
+ echo ok
+
Original bug description:
Binary package hint: bind9
If you have installed apparmor, and install bind9, this fails to start
complaining about access denied (openssl.cnf file the first time,
named.pid in other configurations).
The problem is that bind9 doesn't install an apparmor profile.
If you install apparmor-profiles packages, the problem solves.
Then, maybe it has to have a dependency (or install an apparmor bind
profile specifically).
In my case, it has been detecting after upgrading from 9.04 to 9.10.
--
apparmor cache files not regenerated on upgrade
https://bugs.launchpad.net/bugs/466315
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
