Ubuntu
apparmor package

Bug #1594695
Comment #3

Comment 3 for bug 1594695

Revision history for this message

Roman Fiedler (roman-fiedler-deactivatedaccount) wrote on 2016-06-29:

Sorry, for the delay.

No, we have an automatic setup system creating each machine from scratch. In this primary install dpkg log seems to have following sequence (see attachment, produces with "grep -E -e '(lxc|apparmor)' /var/log/dpkg.log"

As you can see, "libapparmor" is already unpacked in the debootstrap template (which was used to create a 60MB minimal system tgz for bootstrap initialization). But that should not hurt.

"apparmor" and "libapparmor-perl" are then installed as dependency from "lxc" package (same timestamp).

The "aa-status" after lxc install and before restarting apparmor manually:

apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Status after manual start (funny: other processes also stay unconfined, because they were started earlier - is it easy to "hook" a restart of those when apparmor is installed?
Also: there are networkmanager profiles without nm package or whatsoever installed):

# aa-status
apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/ntpd
   lxc-container-default
   lxc-container-default-cgns
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
0 profiles are in complain mode.
1 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/sbin/ntpd (1992)

Maybe LXC is just draining our attention from the real problem: under some circumstances, apparmor installs do not activate the profile.

I will create a plain install medium, just installing an empty machine with just the apparmor package and see, if it shows the same behaviour.

Sorry, for the delay.

As you can see, "libapparmor" is already unpacked in the debootstrap template (which was used to create a 60MB minimal system tgz for bootstrap initialization). But that should not hurt.

"apparmor" and "libapparmor-perl" are then installed as dependency from "lxc" package (same timestamp).

The "aa-status" after lxc install and before restarting apparmor manually:

# aa-status 
apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/ntpd
   lxc-container-default
   lxc-container-default-cgns
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
0 profiles are in complain mode.
1 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/sbin/ntpd (1992)

Maybe LXC is just draining our attention from the real problem: under some circumstances, apparmor installs do not activate the profile.

I will create a plain install medium, just installing an empty machine with just the apparmor package and see, if it shows the same behaviour.

Ubuntuapparmor package

Comment 3 for bug 1594695

Ubuntu
apparmor package