Ubuntu
apparmor package

isc-dhcp-server apparmor include

Bug #1453088 reported by Simon McNair
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I tried to put isc-dhcp-server in to complain mode due to issues with /run and /var/run PID flags.

It gave me an error

root@here:/etc/apparmor.d# aa-complain usr.sbin.dhcpd
Setting /etc/apparmor.d/usr.sbin.dhcpd to complain mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 30, in <module>
    tool.cmd_complain()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 184, in cmd_complain
    raise apparmor.AppArmorException(cmd_info[1])
apparmor.common.AppArmorException: "AppArmor parser error for /etc/apparmor.d/usr.sbin.dhcpd in /etc/apparmor.d/usr.sbin.dhcpd at line 69: Could not open 'dhcpd.d'\n"

due to #include <dhcpd.d> in usr.sbin.dhcpd

Two things confuse me. The use of '#' and '# ' to mean include and for commenting respectively. Is this not going to make bug fixing more difficult ?

and two should dhcpd.d include a full path ?

Why is app armour complain complaining with a standard file ?

Cheers
Simon

Seth Arnold (seth-arnold)
affects: isc-dhcp (Ubuntu) → apparmor (Ubuntu)
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Simon. Sorry for the difficulty you encountered. The specific traceback issue you encountered with aa-complain has been addressed in trusty in apparmor-utils and python3-apparmor 2.8.95~2430-0ubuntu5.2, so I'm closing this bug (it was also fixed upstream in the 2.9.2 and 2.10 releases).

Yes, the use of c-style #include and shell style # prefix for comments is a bit confusing. AppArmor 2.10 which will be in ubuntu 15.10 includes support for just using the keyword 'include' instead of "#include' (though the latter will still work).

The "dhcpd.d" include is assuming the base path to look for included files and directories is /etc/apparmor.d/. In this case, the include references the directory /etc/apparmor.d/dhcpd.d/ which tells apparmor to include any files in that directory into the profile. However, the aa-complain tool before 2.8.95~2430-0ubuntu5.2 did not support including directories, which is why it crashed.

Thanks!

Changed in apparmor (Ubuntu):
status: New → Fix Released
Changed in apparmor:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.