Ubuntu
apparmor package

man apparmor still assumes upstart as init

Bug #1495170 reported by Lyn Perrine on 2015-09-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Confirmed	Medium	Unassigned

Bug Description

To reproduce in a terminal or shell run man apparmor. In the section Ubunut policy load assumes upstart as in 14.10 and earlier.

To copy the section from the man page it is

UBUNTU POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
policy in two ways:

1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy

The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
load should be handled specially.

The upstart job may be call with or without arguments, like so:

               $ sudo start apparmor
               $ sudo start apparmor ACTION=clear # clear policy cache
               $ sudo start apparmor ACTION=teardown # unload all policy
               $ sudo start apparmor ACTION=reload # reload policy
               $ sudo start apparmor ACTION=force-reload # same as 'reload'

Because the job is an upstart(8) task, use 'start apparmor ACTION=teardown' to unload all policy.

In general, nothing extra has to be done for applications not started during boot or those that start after AppArmor's upstart job.

       If the confined application has an Upstart job, adjust the job tUBUNTU POLICY LOAD
       Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
       policy in two ways:

1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy

The upstart job may be call with or without arguments, like so:

Because the job is an upstart(8) task, use 'start apparmor ACTION=teardown' to unload all policy.

In general, nothing extra has to be done for applications not started during boot or those that start after AppArmor's upstart job.

If the confined application has an Upstart job, adjust the job to call /lib/init/apparmor-profile-load with the filename of the policy file (relative to /etc/apparmor.d/). For example:

               pre-start script
                       /lib/init/apparmor-profile-load usr.bin.foo
               end script

If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:

$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .

The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.

In addition, AppArmor on Ubuntu stores policy in two places:

        1. /etc/apparmor.d for system policy
        2. /var/lib/apparmor/profiles for click policy
UBUNTU POLICY LOAD
       Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
       policy in two ways: