Ubuntu
apparmor package

AppArmor profiles need updates for /var/run → /run and /var/lock → /run/lock and /dev/shm → /run/shm

Bug #810270 reported by Micah Gersten on 2011-07-14
64
This bug affects 15 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
bind9 (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
clamav (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
cups (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
gdm-guest-session (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
isc-dhcp (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
libvirt (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Jamie Strandboge
Ubuntu oneiric-alpha-3
mysql-5.1 (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
ntp (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
openldap (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Oneiric
Fix Released
High
Martin Pitt
Ubuntu oneiric-alpha-3
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Figured I'd file a tracking bug for this. The symlink exists from /var/run to /run, but I'm guessing the profiles don't like this. The main problems I've seen so far are cups and dhclient (which I think are both profiles in their respective packages).

Martin Pitt (pitti) wrote :

Example:

Jul 14 11:27:50 localhost kernel: [ 8660.404355] type=1400 audit(1310635670.401:12064): apparmor="DENIED" operation="chown" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/" pid=6276 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul 14 11:27:50 localhost kernel: [ 8660.404469] type=1400 audit(1310635670.401:12065): apparmor="DENIED" operation="chown" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=6276 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul 14 11:27:50 localhost kernel: [ 8660.443356] type=1400 audit(1310635670.441:12066): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/printcap" pid=6276 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 14 11:27:50 localhost kernel: [ 8660.445231] type=1400 audit(1310635670.441:12067): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/cups.sock" pid=6276 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 14 11:27:50 localhost kernel: [ 8660.445362] type=1400 audit(1310635670.441:12068): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/cupsd" name="/run/cups/cupsd.pid" pid=6276 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Martin Pitt (pitti) wrote :

sbin.dhclient and usr.sbin.cupsd profiles also refer to /var/run/, adding tasks for these as well.

Changed in cups (Ubuntu):
status: New → Triaged
Changed in apparmor (Ubuntu):
status: New → Triaged
Changed in isc-dhcp (Ubuntu):
status: New → Triaged
summary: - /run transition wreaking havoc on profiles
+ AppArmor profiles need updates for /var/run → /run
Changed in apparmor (Ubuntu):
importance: Undecided → High
Changed in cups (Ubuntu):
importance: Undecided → High
Changed in isc-dhcp (Ubuntu):
importance: Undecided → High
Changed in apparmor (Ubuntu Oneiric):
assignee: nobody → Martin Pitt (pitti)
Changed in cups (Ubuntu Oneiric):
assignee: nobody → Martin Pitt (pitti)
Changed in apparmor (Ubuntu Oneiric):
milestone: none → oneiric-alpha-3
Changed in cups (Ubuntu Oneiric):
milestone: none → oneiric-alpha-3
Changed in isc-dhcp (Ubuntu Oneiric):
milestone: none → oneiric-alpha-3
Changed in cups (Ubuntu Oneiric):
status: Triaged → In Progress
Martin Pitt (pitti) on 2011-07-14
Changed in cups (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in apparmor (Ubuntu Oneiric):
assignee: Martin Pitt (pitti) → nobody
Jamie Strandboge (jdstrand) on 2011-07-14
summary: - AppArmor profiles need updates for /var/run → /run
+ AppArmor profiles need updates for /var/run → /run and /var/lock →
+ /run/lock
Changed in ntp (Ubuntu Oneiric):
status: New → Triaged
Changed in isc-dhcp (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ntp (Ubuntu Oneiric):
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote : Re: AppArmor profiles need updates for /var/run → /run and /var/lock → /run/lock

*sigh* This requires a lot of changes.

Changed in libvirt (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Changed in ntp (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → oneiric-alpha-3
Changed in libvirt (Ubuntu Oneiric):
importance: Undecided → High
milestone: none → oneiric-alpha-3
Changed in bind9 (Ubuntu Oneiric):
importance: Undecided → High
status: New → Triaged
Jamie Strandboge (jdstrand) on 2011-07-14
Changed in clamav (Ubuntu Oneiric):
milestone: none → oneiric-alpha-3
status: New → Triaged
Jamie Strandboge (jdstrand) on 2011-07-14
Changed in gdm-guest-session (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
milestone: none → oneiric-alpha-3
status: New → Triaged
Changed in clamav (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in bind9 (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → oneiric-alpha-3
Changed in clamav (Ubuntu Oneiric):
importance: Undecided → High
Changed in apparmor (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in mysql-5.1 (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
milestone: none → oneiric-alpha-3
status: New → Triaged
Changed in openldap (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
milestone: none → oneiric-alpha-3
status: New → Triaged
Jamie Strandboge (jdstrand) on 2011-07-14
Changed in apparmor (Ubuntu Oneiric):
status: Triaged → In Progress
Martin Pitt (pitti) wrote :

Seems Jamie already has an update for gdm-guest-session

Changed in gdm-guest-session (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
assignee: Martin Pitt (pitti) → Jamie Strandboge (jdstrand)
status: Triaged → Fix Committed
Changed in bind9 (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
status: Triaged → In Progress
Changed in ntp (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.4.7-1

---------------
cups (1.4.7-1) unstable; urgency=low

  * New upstream version.

  [ Till Kamppeter ]
  * debian/patches/ubuntu-upstart.dpatch: Updated the patch to add support
    to the new device enumeration functionality of udev-configure-printer.
    This way we do not need to retrigger the printers. Retriggering is only
    needed if udev rules change. A fallback to the old bahavior is provided
    so that this CUPS package continues to work with older versions of
    udev-configure-printer.

  [ Martin Pitt ]
  * Update patches for new upstream release.
  * Drop fix-broken-ipv6-uris.patch, applied upstream.
  * debian/local/apparmor-profile: /var/run → /run transition. (LP: #810270)
  * Drop debian/patches/ubuntu-upstart.dpatch and move the upstart script to
    debian/local/cups.upstart. In debian/rules, copy it to debian/, and remove
    that again during clean. This is a slightly easier workaround for a
    nonexisting "dh_installinit --sysvinit-only" option than the previous
    creation of the upstart file with an ubuntu specific dpatch.
  * debian/patches/, debian/rules, debian/control, debian/source/format: Move
    to source format "3.0 (quilt)" and convert our dpatches to quilt patches.
    Drop dpatch build dependency.
  * Move Ubuntu specific patches to debian/patches/ubuntu. In debian/rules,
    apply them when building on Ubuntu. Add "patch" build dependency.
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:02:36 +0200

Changed in cups (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Micah Gersten (micahg) on 2011-07-14
summary: AppArmor profiles need updates for /var/run → /run and /var/lock →
- /run/lock
+ /run/lock and /dev/shm -> /run/shm
Martin Pitt (pitti) on 2011-07-14
Changed in openldap (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
status: Triaged → Fix Committed
Changed in bind9 (Ubuntu Oneiric):
status: In Progress → Fix Committed
Micah Gersten (micahg) on 2011-07-14
summary: AppArmor profiles need updates for /var/run → /run and /var/lock →
- /run/lock and /dev/shm -> /run/shm
+ /run/lock and /dev/shm → /run/shm
Martin Pitt (pitti) on 2011-07-14
Changed in mysql-5.1 (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → Martin Pitt (pitti)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.6.p2+dfsg-1ubuntu9

---------------
ntp (1:4.2.6.p2+dfsg-1ubuntu9) oneiric; urgency=low

  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:12:09 +0200

Changed in ntp (Ubuntu Oneiric):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bind9 - 1:9.7.3.dfsg-1ubuntu4

---------------
bind9 (1:9.7.3.dfsg-1ubuntu4) oneiric; urgency=low

  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:15:45 +0200

Changed in bind9 (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.25-1.1ubuntu2

---------------
openldap (2.4.25-1.1ubuntu2) oneiric; urgency=low

  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:18:02 +0200

Changed in openldap (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.1 - 5.1.54-1ubuntu5

---------------
mysql-5.1 (5.1.54-1ubuntu5) oneiric; urgency=low

  * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270)
 -- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:21:19 +0200

Changed in mysql-5.1 (Ubuntu Oneiric):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) on 2011-07-14
Changed in isc-dhcp (Ubuntu Oneiric):
status: Triaged → In Progress
Jamie Strandboge (jdstrand) on 2011-07-14
Changed in isc-dhcp (Ubuntu Oneiric):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.1-P1-17ubuntu4

---------------
isc-dhcp (4.1.1-P1-17ubuntu4) oneiric; urgency=low

  * adjust AppArmor profile for /var/run -> /run (LP: #810270)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 08:26:44 -0500

Changed in isc-dhcp (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm-guest-session - 0.27

---------------
gdm-guest-session (0.27) oneiric; urgency=low

  * apparmor/gdm-guest-session: /var/run -> /run and /dev/shm -> /run/shm
    transition (LP: #810270)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 07:36:57 -0500

Changed in gdm-guest-session (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) on 2011-07-14
Changed in clamav (Ubuntu Oneiric):
status: Triaged → In Progress
Jamie Strandboge (jdstrand) on 2011-07-14
Changed in libvirt (Ubuntu Oneiric):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.97.1+dfsg-1ubuntu2

---------------
clamav (0.97.1+dfsg-1ubuntu2) oneiric; urgency=low

  * adjust AppArmor profile for /var/run -> /run (LP: #810270)
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 08:36:01 -0500

Changed in clamav (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) on 2011-07-14
Changed in clamav (Ubuntu Oneiric):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.2-4ubuntu4

---------------
libvirt (0.9.2-4ubuntu4) oneiric; urgency=low

  * debian/apparmor/libvirt-qemu: adjust for /dev/shm -> /run/shm transition
  * debian/patches/lp810270.patch: adjust AppArmor profile for /var/run ->
    /run
    - LP: #810270
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 08:46:32 -0500

Changed in libvirt (Ubuntu Oneiric):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6.1-4ubuntu3

---------------
apparmor (2.6.1-4ubuntu3) oneiric; urgency=low

  * debian/patches/0106-lp810270.patch: adjustments for /var/run -> /run,
    /var/lock -> /run/lock and /dev/shm -> /run/shm transition (LP: #810270)
  * debian/patches/0107-lp767308.patch: allow read access to
    /usr/local/share/ca-certificates (LP: #767308)
  * debian/patches/0001-add-chromium-browser.patch: updates for newer chromium
    (LP: #776648)
  * debian/patches/0108-gnome-mimeinfo.patch: allow read access to
    /usr/share/gnome/applications/mimeinfo.cache in the gnome abstraction
 -- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 09:39:49 -0500

Changed in apparmor (Ubuntu Oneiric):
status: In Progress → Fix Released
Jürgen (jurgen-depicker) wrote :

I'm affraid it's not fixed yet for mysql Ver 14.14 Distrib 5.1.58, for debian-linux-gnu (x86_64). http://penguindroppings.wordpress.com/2009/07/07/should-i-disable-apparmor/ was my help to temporary disable the profile for mysql to get things working again:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/usr.sbin.mysqld
sudo service mysql start
mysql start/running, process 3024

Before doing this, I got this from dmesg:
type=1400 audit(1319135491.751:5641): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=2704 comm="apparmor_parser"
[84848.322283] type=1400 audit(1319135491.915:5642): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/run/mysqld/mysqld.sock" pid=2708 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=116 ouid=116
[84853.637467] init: mysql main process (2708) terminated with status 1
[84853.637505] init: mysql main process ended, respawning

Jamie Strandboge (jdstrand) wrote :

Jurgen, this sounds like you may have not accepted the changes to /etc/apparmor.d/usr.sbin.mysqld on upgrade. Please look in /etc/apparmor.d/ for *dpkg* files and merge the changes. If this is not the case, please file a new bug with 'ubuntu-bug mysql-5.1'. Thanks

Jürgen (jurgen-depicker) wrote :

I'm sorry I forgot to mention that this is on a blank new install. Unfortunately, so I'll give it a try and file that bug!

cideous (mr-nightmare) wrote :

Continously I get errors of the form:

[ 4961.366862] type=1400 audit(1329587229.044:159): apparmor="DENIED" operation="mknod" parent=1049 profile="/sbin/dhclient" name="/var/lib/dhcp/dhclient-8740e579-0e00-4d28-acc6-c9998a25e262-eth0.lease" pid=1589 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Is this because this bug is still unsolved for dhclient, or is this because of the way setup my filesystem. Note that I made /var a symlink to a different partition. My root filesystem is an SSD and I followed the recommendation not to have var on the SSD. So is this just because I'm using a symlink here and I shouldn't have used it here?

Kees Cook (kees) wrote :

If filesystem paths have been relocated, please use /etc/apparmor.d/tunables/alias to handle replacements.

Thomas Tanghus (tanghus) wrote :

Please guys: http://tanghus.net/2012/03/yet-another-mysql-vs-apparmor-barf/#comment-299

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers