Incorrect warning from apparmor_parser on force complained profiles

Bug #1899218 reported by Emilia Torino
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
John Johansen

Bug Description

apparmor_parser on a force complained profile produces an incorrect warning message:

$ sudo apparmor_parser -rW /etc/apparmor.d/usr.sbin.sssd
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd line 54): Warning failed to create cache: usr.sbin.sssd

Even though not generating the cache at all is expected, the warning should describe caching is disabled for force complained profiles instead of failure to create it.

$ lsb_release -rd
Description: Ubuntu Groovy Gorilla (development branch)
Release: 20.10

$ apt-cache policy apparmor
apparmor:
  Installed: 3.0.0~beta1-0ubuntu6
  Candidate: 3.0.0~beta1-0ubuntu6
  Version table:
 *** 3.0.0~beta1-0ubuntu6 500
        500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
        100 /var/lib/dpkg/status

summary: - Incorrect warning from sudo apparmor_parser -rW
- /etc/apparmor.d/usr.sbin.sssd
+ Incorrect warning from apparmor_parser -rW /etc/apparmor.d/usr.sbin.sssd
description: updated
summary: - Incorrect warning from apparmor_parser -rW /etc/apparmor.d/usr.sbin.sssd
+ Incorrect warning from apparmor_parser on force complained profiles
Revision history for this message
John Johansen (jjohansen) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, this is part of the groovy upload in unapproved.

Changed in apparmor (Ubuntu):
status: New → Fix Committed
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 3.0.0-0ubuntu1

---------------
apparmor (3.0.0-0ubuntu1) groovy; urgency=medium

  [ Alex Murray ]
  * Update to the final AppArmor 3.0 upstream release
    - d/apparmor.install:
      + install new aa-features-abi binary to /usr/bin
    - d/apparmor.manpages:
      + install new aa-features-abi.1 man page
    - d/apparmor-profiles.install:
      + install new usr.lib.dovecot.script-login
      + adjust for renamed postfix profiles
    - d/tests/test-installed:
      + include libraries/ in workdir so tests have access to private
        headers
    - Drop the following patches that were originally backported from
      upstream but are now incorporated in the final release:
      + d/p/parser-fix_cap_match.patch
      + d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch
      + d/p/parser-add-abi-warning-flags.patch
      + d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch
      + d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch
      + d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch
      + d/p/fix-change-profile-stack-abstraction.patch
      + d/p/ubuntu/stop-loading-snapd-profiles.patch

  [ Emilia Torino ]
  * d/control: adjust apparmor-notify to depends on python3-psutil and
    python3-apparmor (LP: #1899046)

  [ Steve Beattie ]
  * d/p/u/parser-Fix-warning-message-when-complain-mode-is-for.patch:
    Provide better message about caching not happening due to a profile
    being in force-complain mode. (LP: #1899218)

 -- Alex Murray <email address hidden> Sun, 11 Oct 2020 16:26:32 -0700

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Just saw this in bionic, I guess it's not important enough for an SRU?

# apparmor_parser -r -T -W --Complain /etc/apparmor.d/pam_roles /etc/apparmor.d/usr.sbin.sshd
Warning failed to create cache: pam_roles
Warning failed to create cache: usr.sbin.sshd

Revision history for this message
Kodiak Firesmith (kodiakf) wrote :

+1 Ubuntu 20.04 LTS server

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers