man apparmor still assumes upstart as init

Bug #1495170 reported by Lyn Perrine on 2015-09-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Unassigned

Bug Description

To reproduce in a terminal or shell run man apparmor. In the section Ubunut policy load assumes upstart as in 14.10 and earlier.

To copy the section from the man page it is

 UBUNTU POLICY LOAD
       Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
       policy in two ways:

        1. via upstart jobs for services started during the boot process
        2. via the AppArmor upstart job for any remaining policy

       The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
       load should be handled specially.

       The upstart job may be call with or without arguments, like so:

               $ sudo start apparmor
               $ sudo start apparmor ACTION=clear # clear policy cache
               $ sudo start apparmor ACTION=teardown # unload all policy
               $ sudo start apparmor ACTION=reload # reload policy
               $ sudo start apparmor ACTION=force-reload # same as 'reload'

       Because the job is an upstart(8) task, use 'start apparmor ACTION=teardown' to unload all policy.

       In general, nothing extra has to be done for applications not started during boot or those that start after AppArmor's upstart job.

       If the confined application has an Upstart job, adjust the job tUBUNTU POLICY LOAD
       Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
       policy in two ways:

        1. via upstart jobs for services started during the boot process
        2. via the AppArmor upstart job for any remaining policy

       The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
       load should be handled specially.

       The upstart job may be call with or without arguments, like so:

               $ sudo start apparmor
               $ sudo start apparmor ACTION=clear # clear policy cache
               $ sudo start apparmor ACTION=teardown # unload all policy
               $ sudo start apparmor ACTION=reload # reload policy
               $ sudo start apparmor ACTION=force-reload # same as 'reload'

       Because the job is an upstart(8) task, use 'start apparmor ACTION=teardown' to unload all policy.

       In general, nothing extra has to be done for applications not started during boot or those that start after AppArmor's upstart job.

       If the confined application has an Upstart job, adjust the job to call /lib/init/apparmor-profile-load with the filename of the policy file (relative to /etc/apparmor.d/). For example:

               pre-start script
                       /lib/init/apparmor-profile-load usr.bin.foo
               end script

       If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
       /etc/apparmor/init/network-interface-security/. For example:

               $ cd /etc/apparmor/init/network-interface-security/
               $ sudo ln -s /etc/apparmor.d/usr.bin.foo .

       The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
       come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.

       In addition, AppArmor on Ubuntu stores policy in two places:

        1. /etc/apparmor.d for system policy
        2. /var/lib/apparmor/profiles for click policy
UBUNTU POLICY LOAD
       Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
       policy in two ways:

        1. via upstart jobs for services started during the boot process
        2. via the AppArmor upstart job for any remaining policy

       The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
       load should be handled specially.

       The upstart job may be call with or without arguments, like so:

               $ sudo start apparmor
               $ sudo start apparmor ACTION=clear # clear policy cache
               $ sudo start apparmor ACTION=teardown # unload all policy
               $ sudo start apparmor ACTION=reload # reload policy
               $ sudo start apparmor ACTION=force-reload # same as 'reload'

       Because the job is an upstart(8) task, use 'start apparmor ACTION=teardown' to unload all policy.

       In general, nothing extra has to be done for applications not started during boot or those that start after AppArmor's upstart job.

       If the confined application has an Upstart job, adjust the job to call /lib/init/apparmor-profile-load with the filename of the policy file (relative to /etc/apparmor.d/). For example:

               pre-start script
                       /lib/init/apparmor-profile-load usr.bin.foo
               end script

       If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
       /etc/apparmor/init/network-interface-security/. For example:

               $ cd /etc/apparmor/init/network-interface-security/
               $ sudo ln -s /etc/apparmor.d/usr.bin.foo .

       The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
       come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.

       In addition, AppArmor on Ubuntu stores policy in two places:

        1. /etc/apparmor.d for system policy
        2. /var/lib/apparmor/profiles for click policy

       See apparmor_parser(8) and aa-clickhook(1) for details.
Suggests: apparmor-profiles, apparmor-profiles-extra, apparmor-docs, apparmor-utils

       See apparmor_parser(8) and aa-clickhook(1) for details.
o call /lib/init/apparmor-profile-load with the filename of the policy file (relative to /etc/apparmor.d/). For example:

               pre-start script
                       /lib/init/apparmor-profile-load usr.bin.foo
               end script

       If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
       /etc/apparmor/init/network-interface-security/. For example:

               $ cd /etc/apparmor/init/network-interface-security/
               $ sudo ln -s /etc/apparmor.d/usr.bin.foo .

       The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
       come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.

       In addition, AppArmor on Ubuntu stores policy in two places:

        1. /etc/apparmor.d for system policy
        2. /var/lib/apparmor/profiles for click policyI expected to read how ubuntu policy load works and not how it worked in an old version. Instead I got how it works in 14.10 and earlier and could not read how apparmor policy is loaded. I think this should be updated.

       See apparmor_parser(8) and aa-clickhook(1) for details.

apparmor:
  Installed: 2.10-0ubuntu6
  Candidate: 2.10-0ubuntu6
  Version table:
 *** 2.10-0ubuntu6 0
        500 http://us.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
        100 /var/lib/dpkg/status
Description: Ubuntu Wily Werewolf (development branch)
Release: 15.10

I expected to read how ubuntu policy load works and not how it worked in an old version. Instead I got how it works in 14.10 and earlier and could not read how apparmor policy is loaded. I think this should be updated.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: apparmor 2.10-0ubuntu6
ProcVersionSignature: Ubuntu 4.2.0-7.7-generic 4.2.0
Uname: Linux 4.2.0-7-generic x86_64
ApportVersion: 2.18.1-0ubuntu1
Architecture: amd64
CurrentDesktop: LXDE
Date: Sat Sep 12 20:44:10 2015
InstallationDate: Installed on 2014-09-30 (347 days ago)
InstallationMedia: Lubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140930)
JournalErrors:
 No journal files were found.
 -- No entries --
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.2.0-7-generic root=/dev/sdb1 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw
SourcePackage: apparmor
UpgradeStatus: Upgraded to wily on 2015-08-07 (36 days ago)

Lyn Perrine (walterorlin) wrote :
John Johansen (jjohansen) wrote :

yep, systemd documentation needs to be added.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
tags: added: bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers