2009-10-31 10:07:48 |
Jose M. Albarrán |
bug |
|
|
added bug |
2009-11-03 11:54:30 |
Kenyon Ralph |
bind9 (Ubuntu): status |
New |
Confirmed |
|
2009-11-03 20:59:51 |
Jamie Strandboge |
bind9 (Ubuntu): status |
Confirmed |
Incomplete |
|
2009-11-03 20:59:51 |
Jamie Strandboge |
bind9 (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
2009-11-03 22:13:21 |
Kenyon Ralph |
bind9 (Ubuntu): status |
Incomplete |
Confirmed |
|
2009-11-03 22:53:34 |
Jamie Strandboge |
bind9 (Ubuntu): status |
Confirmed |
Incomplete |
|
2009-11-04 00:09:31 |
Brendan Martens |
attachment added |
|
contents of apparmor.d http://launchpadlibrarian.net/35062000/466315.tar.gz |
|
2009-11-04 00:12:12 |
Kenyon Ralph |
attachment added |
|
etc-apparmor.d-with-apparmor-profiles.tar.gz http://launchpadlibrarian.net/35062090/etc-apparmor.d-with-apparmor-profiles.tar.gz |
|
2009-11-04 00:12:12 |
Kenyon Ralph |
attachment added |
|
etc-apparmor.d-without-apparmor-profiles.tar.gz http://launchpadlibrarian.net/35062091/etc-apparmor.d-without-apparmor-profiles.tar.gz |
|
2009-11-04 00:15:36 |
Kenyon Ralph |
bind9 (Ubuntu): status |
Incomplete |
Confirmed |
|
2009-11-04 00:18:54 |
Kenyon Ralph |
summary |
bind9 missed a dependency with apparmor-profiles |
bind9 jaunty to karmic upgrade causes initial apparmor audit with openssl.cnf, seems fixed by installing apparmor-profiles but not really |
|
2009-11-10 18:41:28 |
Jamie Strandboge |
bind9 (Ubuntu): status |
Confirmed |
Incomplete |
|
2009-11-10 19:17:20 |
Kenyon Ralph |
bind9 (Ubuntu): status |
Incomplete |
Confirmed |
|
2009-11-10 21:13:28 |
Jamie Strandboge |
bind9 (Ubuntu): status |
Confirmed |
Triaged |
|
2009-11-10 21:13:51 |
Jamie Strandboge |
bind9 (Ubuntu): importance |
Undecided |
Medium |
|
2009-11-10 21:14:13 |
Jamie Strandboge |
bind9 (Ubuntu): assignee |
Jamie Strandboge (jdstrand) |
LaMont Jones (lamont) |
|
2009-11-10 21:15:15 |
Jamie Strandboge |
summary |
bind9 jaunty to karmic upgrade causes initial apparmor audit with openssl.cnf, seems fixed by installing apparmor-profiles but not really |
bind9 apparmor cache files not regenerated on upgrade |
|
2009-11-11 23:02:36 |
Kees Cook |
affects |
bind9 (Ubuntu) |
apparmor (Ubuntu) |
|
2009-11-11 23:02:36 |
Kees Cook |
apparmor (Ubuntu): assignee |
LaMont Jones (lamont) |
Kees Cook (kees) |
|
2009-11-19 23:56:10 |
Jamie Strandboge |
summary |
bind9 apparmor cache files not regenerated on upgrade |
apparmor cache files not regenerated on upgrade |
|
2009-12-04 07:21:32 |
Kees Cook |
apparmor (Ubuntu): status |
Triaged |
In Progress |
|
2009-12-08 00:10:15 |
Kees Cook |
description |
Binary package hint: bind9
If you have installed apparmor, and install bind9, this fails to start complaining about access denied (openssl.cnf file the first time, named.pid in other configurations).
The problem is that bind9 doesn't install an apparmor profile.
If you install apparmor-profiles packages, the problem solves.
Then, maybe it has to have a dependency (or install an apparmor bind profile specifically).
In my case, it has been detecting after upgrading from 9.04 to 9.10. |
Binary package hint: bind9
If you have installed apparmor, and install bind9, this fails to start complaining about access denied (openssl.cnf file the first time, named.pid in other configurations).
The problem is that bind9 doesn't install an apparmor profile.
If you install apparmor-profiles packages, the problem solves.
Then, maybe it has to have a dependency (or install an apparmor bind profile specifically).
In my case, it has been detecting after upgrading from 9.04 to 9.10.
TEST CASE: (all commands should exit 0: the touch "touch" will rewind "modified" but not "changed" time, so a fixed parser will still regenerate the cache.)
$ sudo -s
# cat >/etc/apparmor.d/tmp.test <<EOF
#include <tunables/global>
/tmp/test {
#include <abstractions/base>
}
EOF
# sleep 1
# service apparmor reload
# test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
# THEN=$(mktemp -t now-XXXXXX)
# sleep 1
# touch -t 200901010101 /etc/apparmor.d/tmp.test
# apparmor_parser -r -W /etc/apparmor.d/tmp.test
# test /etc/apparmor.d/cache/tmp.test -nt $THEN
# apparmor_parser -R /etc/apparmor.d/tmp.test
# rm /etc/apparmor.d/{,cache}/tmp.test $THEN
|
|
2009-12-11 17:29:47 |
Kees Cook |
apparmor (Ubuntu): status |
In Progress |
Fix Committed |
|
2009-12-11 17:32:27 |
Kees Cook |
description |
Binary package hint: bind9
If you have installed apparmor, and install bind9, this fails to start complaining about access denied (openssl.cnf file the first time, named.pid in other configurations).
The problem is that bind9 doesn't install an apparmor profile.
If you install apparmor-profiles packages, the problem solves.
Then, maybe it has to have a dependency (or install an apparmor bind profile specifically).
In my case, it has been detecting after upgrading from 9.04 to 9.10.
TEST CASE: (all commands should exit 0: the touch "touch" will rewind "modified" but not "changed" time, so a fixed parser will still regenerate the cache.)
$ sudo -s
# cat >/etc/apparmor.d/tmp.test <<EOF
#include <tunables/global>
/tmp/test {
#include <abstractions/base>
}
EOF
# sleep 1
# service apparmor reload
# test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
# THEN=$(mktemp -t now-XXXXXX)
# sleep 1
# touch -t 200901010101 /etc/apparmor.d/tmp.test
# apparmor_parser -r -W /etc/apparmor.d/tmp.test
# test /etc/apparmor.d/cache/tmp.test -nt $THEN
# apparmor_parser -R /etc/apparmor.d/tmp.test
# rm /etc/apparmor.d/{,cache}/tmp.test $THEN
|
impact: people upgrading from Jaunty to Karmic will see some services fail to start due to outdated profiles not correctly being loaded (specifically, this happens for bind9).
how the bug has been addressed: backported upstream fixes that use ctime instead of mtime when examining profiles for if they are out of date compared to the cache files.
regression potential: low: the change is small, there are upstream tests, and the test case below demonstrates the fix.
TEST CASE: (all commands should exit 0: the touch "touch" will rewind "modified" but not "changed" time, so a fixed parser will still regenerate the cache.)
$ sudo -s
# cat >/etc/apparmor.d/tmp.test <<EOF
#include <tunables/global>
/tmp/test {
#include <abstractions/base>
}
EOF
# sleep 1
# service apparmor reload
# test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
# THEN=$(mktemp -t now-XXXXXX)
# sleep 1
# touch -t 200901010101 /etc/apparmor.d/tmp.test
# apparmor_parser -r -W /etc/apparmor.d/tmp.test
# test /etc/apparmor.d/cache/tmp.test -nt $THEN
# apparmor_parser -R /etc/apparmor.d/tmp.test
# rm /etc/apparmor.d/{,cache}/tmp.test $THEN
Original bug description:
Binary package hint: bind9
If you have installed apparmor, and install bind9, this fails to start complaining about access denied (openssl.cnf file the first time, named.pid in other configurations).
The problem is that bind9 doesn't install an apparmor profile.
If you install apparmor-profiles packages, the problem solves.
Then, maybe it has to have a dependency (or install an apparmor bind profile specifically).
In my case, it has been detecting after upgrading from 9.04 to 9.10.
|
|
2009-12-11 17:32:43 |
Kees Cook |
nominated for series |
|
Ubuntu Karmic |
|
2009-12-11 17:32:43 |
Kees Cook |
bug task added |
|
apparmor (Ubuntu Karmic) |
|
2009-12-11 17:32:43 |
Kees Cook |
nominated for series |
|
Ubuntu Lucid |
|
2009-12-11 17:32:43 |
Kees Cook |
bug task added |
|
apparmor (Ubuntu Lucid) |
|
2009-12-11 17:32:56 |
Kees Cook |
apparmor (Ubuntu Karmic): status |
New |
Fix Committed |
|
2009-12-11 17:33:00 |
Kees Cook |
apparmor (Ubuntu Karmic): importance |
Undecided |
Medium |
|
2009-12-11 17:33:05 |
Kees Cook |
apparmor (Ubuntu Lucid): status |
Fix Committed |
Fix Released |
|
2009-12-11 17:33:07 |
Kees Cook |
apparmor (Ubuntu Karmic): assignee |
|
Kees Cook (kees) |
|
2009-12-11 17:35:58 |
Kees Cook |
description |
impact: people upgrading from Jaunty to Karmic will see some services fail to start due to outdated profiles not correctly being loaded (specifically, this happens for bind9).
how the bug has been addressed: backported upstream fixes that use ctime instead of mtime when examining profiles for if they are out of date compared to the cache files.
regression potential: low: the change is small, there are upstream tests, and the test case below demonstrates the fix.
TEST CASE: (all commands should exit 0: the touch "touch" will rewind "modified" but not "changed" time, so a fixed parser will still regenerate the cache.)
$ sudo -s
# cat >/etc/apparmor.d/tmp.test <<EOF
#include <tunables/global>
/tmp/test {
#include <abstractions/base>
}
EOF
# sleep 1
# service apparmor reload
# test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
# THEN=$(mktemp -t now-XXXXXX)
# sleep 1
# touch -t 200901010101 /etc/apparmor.d/tmp.test
# apparmor_parser -r -W /etc/apparmor.d/tmp.test
# test /etc/apparmor.d/cache/tmp.test -nt $THEN
# apparmor_parser -R /etc/apparmor.d/tmp.test
# rm /etc/apparmor.d/{,cache}/tmp.test $THEN
Original bug description:
Binary package hint: bind9
If you have installed apparmor, and install bind9, this fails to start complaining about access denied (openssl.cnf file the first time, named.pid in other configurations).
The problem is that bind9 doesn't install an apparmor profile.
If you install apparmor-profiles packages, the problem solves.
Then, maybe it has to have a dependency (or install an apparmor bind profile specifically).
In my case, it has been detecting after upgrading from 9.04 to 9.10.
|
impact: people upgrading from Jaunty to Karmic will see some services fail to start due to outdated profiles not correctly being loaded (specifically, this happens for bind9).
how the bug has been addressed: backported upstream fixes that use ctime instead of mtime when examining profiles for if they are out of date compared to the cache files.
regression potential: low: the change is small, there are upstream tests, and the test case below demonstrates the fix.
TEST CASE: (all commands should exit 0: the "touch" will rewind "modified" but not "changed" time, so a fixed parser will still regenerate the cache.)
Run with sudo:
#!/bin/bash
set -e
cat >/etc/apparmor.d/tmp.test <<EOF
#include <tunables/global>
/tmp/test {
#include <abstractions/base>
}
EOF
sleep 1
service apparmor reload
test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
THEN=$(mktemp -t now-XXXXXX)
sleep 1
touch -t 200901010101 /etc/apparmor.d/tmp.test
apparmor_parser -r -W /etc/apparmor.d/tmp.test
set +e
test /etc/apparmor.d/cache/tmp.test -nt $THEN
rc=$?
set -e
apparmor_parser -R /etc/apparmor.d/tmp.test
rm /etc/apparmor.d/{,cache}/tmp.test $THEN
if [ $rc -ne 0 ]; then
echo FAIL
exit 1
fi
echo ok
Original bug description:
Binary package hint: bind9
If you have installed apparmor, and install bind9, this fails to start complaining about access denied (openssl.cnf file the first time, named.pid in other configurations).
The problem is that bind9 doesn't install an apparmor profile.
If you install apparmor-profiles packages, the problem solves.
Then, maybe it has to have a dependency (or install an apparmor bind profile specifically).
In my case, it has been detecting after upgrading from 9.04 to 9.10.
|
|
2009-12-15 07:54:43 |
Martin Pitt |
tags |
apparmor |
apparmor verification-needed |
|
2009-12-16 09:29:26 |
Martin Pitt |
tags |
apparmor verification-needed |
apparmor verification-done |
|
2009-12-21 15:58:13 |
Launchpad Janitor |
apparmor (Ubuntu Karmic): status |
Fix Committed |
Fix Released |
|
2010-01-11 05:50:31 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/karmic-proposed/apparmor |
|