Does not use preseeded debconf value for apparmor/homedirs

Bug #561694 reported by Daniel Richard G. on 2010-04-12
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Jamie Strandboge
Lucid
Medium
Jamie Strandboge

Bug Description

SRU Justification

1. impact of the bug is medium for stable releases, as not being able to preseed the home tunable is a longstanding bug that was intended to be fixed in Lucid.

2. This was first fixed in Maverick during its development cycle.

3. Patch is very small-- it simply removes a chunk of faulty logic from the preinst.

4. TEST CASE:
$ cat /etc/apparmor.d/tunables/home.d/ubuntu | grep '^@' # should return nothing
$ printf 'apparmor\tapparmor/homedirs\tstring\t/myhome/\n' | sudo debconf-set-selections
$ sudo dpkg-reconfigure -p high apparmor
$ cat /etc/apparmor.d/tunables/home.d/ubuntu | grep '^@'

At this point '/myhome/' should be in /etc/apparmor.d/tunables/home.d/ubuntu, but it is not.

5. The regression potential of the patch is low, as it removes code from the apparmor preinst to fix a feature introduced in Lucid that never worked.

Binary package hint: apparmor

This concerns apparmor 2.5-0ubuntu3 in Ubuntu Lucid beta1.

I am preseeding the debconf database of an Ubuntu install with a custom value for the apparmor/homedirs selection. When I then go to configure the package, however, the preseeded value is not given as the default answer, as expected---instead, the answer is blank.

# printf 'apparmor\tapparmor/homedirs\tstring\t/myhome/\n' | debconf-set-selections
# dpkg-reconfigure apparmor

What appears to be happening is that the debconf question takes the default value from /etc/apparmor.d/tunables/home.d/ubuntu (the file that is modified as a result of the question) instead of the debconf database. This behavior is at least questionable, and when a blank value overrides a preseeded debconf value, clearly incorrect.

Related branches

Kees Cook (kees) on 2010-06-05
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Confirmed
importance: Undecided → Medium
Changed in apparmor (Ubuntu):
status: Confirmed → In Progress
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1~pre1393-0ubuntu5

---------------
apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low

  * debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs
    abstraction (LP: #605835)
  * debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm
    (LP: #601583)
  * debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction
    and have ubuntu-browsers.d/multimedia use it (LP: #565753)
  * debian/apparmor.config: don't try to read in the existing value from
    /etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is
    in debconf. (LP: #561694)
  * add aa-update-browser for giving a programmatic way to update browser
    profiles to use browser abstractions
    - add debian/aa-update-browser
    - add debian/aa-update-browser.8
    - debian/rules: install aa-update-browser*
  * debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java
    child profile names
  * debian/patches/0010-fix-release.patch: update common/Make.rules to use
    Canonical Ltd in generated documentation
 -- Jamie Strandboge <email address hidden> Wed, 11 Aug 2010 09:24:23 -0500

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Lucid):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
milestone: none → lucid-updates
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

SRU Justification

1. impact of the bug is medium for stable releases, as not being able to preseed the home tunable is a longstanding bug that was intended to be fixed in Lucid.

2. This has been addressed in the development branch

3. Patch is very small-- it simply removes a chunk of faulty logic from the preinst.

4. TEST CASE:
$ cat /etc/apparmor.d/tunables/home.d/ubuntu | grep '^@' # should return nothing
$ printf 'apparmor\tapparmor/homedirs\tstring\t/myhome/\n' | sudo debconf-set-selections
$ sudo dpkg-reconfigure -p high apparmor
$ cat /etc/apparmor.d/tunables/home.d/ubuntu | grep '^@'

At this point '/myhome/' should be in /etc/apparmor.d/tunables/home.d/ubuntu, but it is not.

5. The regression potential of the patch is low, as it removes code from the apparmor preinst to fix a feature introduced in Lucid that never worked.

Jamie Strandboge (jdstrand) wrote :

> 2. This has been addressed in the development branch

To be more precise, this was first fixed in Maverick during its development cycle.

description: updated

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Jamie Strandboge (jdstrand) wrote :

Upgraded to 2.5.1-0ubuntu0.10.04.1 in lucid-proposed and this issue is resolved.

Martin Pitt (pitti) on 2010-12-14
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

---------------
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    release):
    - don't ship aa-update-browser and its man page (requires
      0004-ubuntu-abstractions-updates.patch)
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
    0002-add-chromium-browser.patch
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers