** Description changed:
+ [ Impact ]
+
+ * when openldap's apparmor profile is re-enabled due to the fix in bug
#2119884, tests using openldap fail to run due to its apparmor rules.
+ * this SRU just fixes the tests of packages, it doesn't change the resulting
binary packages.
+
+ [ Test Plan ]
+
+ observe failure
+ * have openldap with enabled apparmor profile
+ * run autopkgtest
+ * see failures due to apparmor denial
+
+ apply fix and observe success
+ * have same openldap with enabled apparmor profile
+ * run autopkgtest and see success
+
+ [ Where problems could occur ]
+
+ * this just changes the autopkgtest, so apart from the possible issues
+ in the update rollout, no behavior change is expected
+
+
+ [ Error analysis ]
+
this happens due to fixing apparmor in bug #2119884
package tests run in a directory that is denied by apparmor.
== nss-pam-ldapd ==
sets up slapd config in /tmp/
echo "$script: setting up test slapd..."
tmpslapd=`mktemp -d -t slapd.XXXXXX`
tests/setup_slapd.sh "$tmpslapd" setup
tests/setup_slapd.sh "$tmpslapd" start
=>
105s testsuite: setting up test slapd...
105s Creating blank /tmp/slapd.HYWyj5 slapd environment... done.
108s Fixing permissions... done.
108s Starting OpenLDAP: slapd FAILED
slapd -F "/tmp/slapd.HYWyj5/slapd.d" -u "$user" -g "$group" -h "ldap:///
ldaps:/// ldapi:///"
== python-ldap ==
runs its tests in /tmp/autopkgtest
via TMPDIR = os.environ.get('TMP', os.getcwd()), but this is denied by
apparmor.
to test the openldap config validity, python-ldap starts:
def _test_config(self):
self._log.debug('testing config %s', self._slapd_conf)
popen_list = [
self.PATH_SLAPD,
"-Ttest",
"-F", self._slapd_conf,
"-u",
"-v",
"-d", "config"
]
p = subprocess.run(
popen_list,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT
)
if p.returncode != 0:
self._log.error(p.stdout.decode("utf-8"))
raise RuntimeError("configuration test failed")
self._log.info("config ok: %s", self._slapd_conf)
this is denied by apparmor:
192s autopkgtest [04:33:39]: test startserver: [-----------------------
192s 2025-10-29 04:33:39,747 ERROR ldif_read_file: Permission denied for
"/tmp/autopkgtest.y86Vgq/autopkgtest_tmp/python-ldap-test-59787/slapd.d/cn=config.ldif"
192s slaptest: bad configuration directory!
192s
192s Traceback (most recent call last):
192s File "<string>", line 1, in <module>
192s import slapdtest; server = slapdtest.SlapdObject(); server.start();
assert server.port > 0 and server.port < 65536; server.stop()
192s ~~~~~~~~~~~~^^
192s File "/usr/lib/python3/dist-packages/slapdtest/_slapdtest.py", line
448, in start
192s self._test_config()
192s ~~~~~~~~~~~~~~~~~^^
192s File "/usr/lib/python3/dist-packages/slapdtest/_slapdtest.py", line
395, in _test_config
192s raise RuntimeError("configuration test failed")
192s RuntimeError: configuration test failed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2130351
Title:
openldap apparmor profile denies access to test files in /tmp/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/2130351/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
