Public bug reported:
To reproduce in a terminal or shell run man apparmor. In the section
Ubunut policy load assumes upstart as in 14.10 and earlier.
To copy the section from the man page it is
UBUNTU POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system.
Because upstart is an event-driven init system and understanding that policy
must be loaded before execution, Ubuntu loads
policy in two ways:
1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy
The AppArmor upstart job is configured to make sure all policy is loaded
before any user sessions start. When developing policy it is important to know
how your application is started and if policy
load should be handled specially.
The upstart job may be call with or without arguments, like so:
$ sudo start apparmor
$ sudo start apparmor ACTION=clear # clear policy cache
$ sudo start apparmor ACTION=teardown # unload all policy
$ sudo start apparmor ACTION=reload # reload policy
$ sudo start apparmor ACTION=force-reload # same as 'reload'
Because the job is an upstart(8) task, use 'start apparmor
ACTION=teardown' to unload all policy.
In general, nothing extra has to be done for applications not
started during boot or those that start after AppArmor's upstart job.
If the confined application has an Upstart job, adjust the job tUBUNTU
POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system.
Because upstart is an event-driven init system and understanding that policy
must be loaded before execution, Ubuntu loads
policy in two ways:
1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy
The AppArmor upstart job is configured to make sure all policy is loaded
before any user sessions start. When developing policy it is important to know
how your application is started and if policy
load should be handled specially.
The upstart job may be call with or without arguments, like so:
$ sudo start apparmor
$ sudo start apparmor ACTION=clear # clear policy cache
$ sudo start apparmor ACTION=teardown # unload all policy
$ sudo start apparmor ACTION=reload # reload policy
$ sudo start apparmor ACTION=force-reload # same as 'reload'
Because the job is an upstart(8) task, use 'start apparmor
ACTION=teardown' to unload all policy.
In general, nothing extra has to be done for applications not
started during boot or those that start after AppArmor's upstart job.
If the confined application has an Upstart job, adjust the job to
call /lib/init/apparmor-profile-load with the filename of the policy
file (relative to /etc/apparmor.d/). For example:
pre-start script
/lib/init/apparmor-profile-load usr.bin.foo
end script
If the confined application does not have an Upstart job but it starts
before AppArmor's second stage initscript, then add a symlink from the policy
file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:
$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .
The network-interface-security Upstart job will load all the symlinked
policy files in /etc/apparmor/init/network-interface-security/ before any
network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that
AppArmor policy is loaded before the confined application starts.
In addition, AppArmor on Ubuntu stores policy in two places:
1. /etc/apparmor.d for system policy
2. /var/lib/apparmor/profiles for click policy
UBUNTU POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system.
Because upstart is an event-driven init system and understanding that policy
must be loaded before execution, Ubuntu loads
policy in two ways:
1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy
The AppArmor upstart job is configured to make sure all policy is loaded
before any user sessions start. When developing policy it is important to know
how your application is started and if policy
load should be handled specially.
The upstart job may be call with or without arguments, like so:
$ sudo start apparmor
$ sudo start apparmor ACTION=clear # clear policy cache
$ sudo start apparmor ACTION=teardown # unload all policy
$ sudo start apparmor ACTION=reload # reload policy
$ sudo start apparmor ACTION=force-reload # same as 'reload'
Because the job is an upstart(8) task, use 'start apparmor
ACTION=teardown' to unload all policy.
In general, nothing extra has to be done for applications not
started during boot or those that start after AppArmor's upstart job.
If the confined application has an Upstart job, adjust the job to
call /lib/init/apparmor-profile-load with the filename of the policy
file (relative to /etc/apparmor.d/). For example:
pre-start script
/lib/init/apparmor-profile-load usr.bin.foo
end script
If the confined application does not have an Upstart job but it starts
before AppArmor's second stage initscript, then add a symlink from the policy
file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:
$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .
The network-interface-security Upstart job will load all the symlinked
policy files in /etc/apparmor/init/network-interface-security/ before any
network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that
AppArmor policy is loaded before the confined application starts.
In addition, AppArmor on Ubuntu stores policy in two places:
1. /etc/apparmor.d for system policy
2. /var/lib/apparmor/profiles for click policy
See apparmor_parser(8) and aa-clickhook(1) for details.
Suggests: apparmor-profiles, apparmor-profiles-extra, apparmor-docs,
apparmor-utils
See apparmor_parser(8) and aa-clickhook(1) for details.
o call /lib/init/apparmor-profile-load with the filename of the policy file
(relative to /etc/apparmor.d/). For example:
pre-start script
/lib/init/apparmor-profile-load usr.bin.foo
end script
If the confined application does not have an Upstart job but it starts
before AppArmor's second stage initscript, then add a symlink from the policy
file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:
$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .
The network-interface-security Upstart job will load all the symlinked
policy files in /etc/apparmor/init/network-interface-security/ before any
network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that
AppArmor policy is loaded before the confined application starts.
In addition, AppArmor on Ubuntu stores policy in two places:
1. /etc/apparmor.d for system policy
2. /var/lib/apparmor/profiles for click policyI expected to read how
ubuntu policy load works and not how it worked in an old version. Instead I got
how it works in 14.10 and earlier and could not read how apparmor policy is
loaded. I think this should be updated.
See apparmor_parser(8) and aa-clickhook(1) for details.
apparmor:
Installed: 2.10-0ubuntu6
Candidate: 2.10-0ubuntu6
Version table:
*** 2.10-0ubuntu6 0
500 http://us.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
100 /var/lib/dpkg/status
Description: Ubuntu Wily Werewolf (development branch)
Release: 15.10
I expected to read how ubuntu policy load works and not how it worked in
an old version. Instead I got how it works in 14.10 and earlier and
could not read how apparmor policy is loaded. I think this should be
updated.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: apparmor 2.10-0ubuntu6
ProcVersionSignature: Ubuntu 4.2.0-7.7-generic 4.2.0
Uname: Linux 4.2.0-7-generic x86_64
ApportVersion: 2.18.1-0ubuntu1
Architecture: amd64
CurrentDesktop: LXDE
Date: Sat Sep 12 20:44:10 2015
InstallationDate: Installed on 2014-09-30 (347 days ago)
InstallationMedia: Lubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140930)
JournalErrors:
No journal files were found.
-- No entries --
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.2.0-7-generic root=/dev/sdb1 ro
quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw
nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf
nomdmonisw nomdmonddf nomdmonisw
SourcePackage: apparmor
UpgradeStatus: Upgraded to wily on 2015-08-07 (36 days ago)
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1495170
Title:
man apparmor still assumes upstart as init
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1495170/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
