AppArmor profiles need updates for /var/run → /run and /var/lock → /run/lock and /dev/shm → /run/shm
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
High
|
Jamie Strandboge | |||
Oneiric |
High
|
Jamie Strandboge | |||
bind9 (Ubuntu) |
High
|
Martin Pitt | |||
Oneiric |
High
|
Martin Pitt | |||
clamav (Ubuntu) |
High
|
Jamie Strandboge | |||
Oneiric |
High
|
Jamie Strandboge | |||
cups (Ubuntu) |
High
|
Martin Pitt | |||
Oneiric |
High
|
Martin Pitt | |||
gdm-guest-session (Ubuntu) |
High
|
Jamie Strandboge | |||
Oneiric |
High
|
Jamie Strandboge | |||
isc-dhcp (Ubuntu) |
High
|
Jamie Strandboge | |||
Oneiric |
High
|
Jamie Strandboge | |||
libvirt (Ubuntu) |
High
|
Jamie Strandboge | |||
Oneiric |
High
|
Jamie Strandboge | |||
mysql-5.1 (Ubuntu) |
High
|
Martin Pitt | |||
Oneiric |
High
|
Martin Pitt | |||
ntp (Ubuntu) |
High
|
Martin Pitt | |||
Oneiric |
High
|
Martin Pitt | |||
openldap (Ubuntu) |
High
|
Martin Pitt | |||
Oneiric |
High
|
Martin Pitt |
Bug Description
Figured I'd file a tracking bug for this. The symlink exists from /var/run to /run, but I'm guessing the profiles don't like this. The main problems I've seen so far are cups and dhclient (which I think are both profiles in their respective packages).
Related branches
Martin Pitt (pitti) wrote : | #1 |
Martin Pitt (pitti) wrote : | #2 |
sbin.dhclient and usr.sbin.cupsd profiles also refer to /var/run/, adding tasks for these as well.
Changed in cups (Ubuntu): | |
status: | New → Triaged |
Changed in apparmor (Ubuntu): | |
status: | New → Triaged |
Changed in isc-dhcp (Ubuntu): | |
status: | New → Triaged |
summary: |
- /run transition wreaking havoc on profiles + AppArmor profiles need updates for /var/run → /run |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → High |
Changed in cups (Ubuntu): | |
importance: | Undecided → High |
Changed in isc-dhcp (Ubuntu): | |
importance: | Undecided → High |
Changed in apparmor (Ubuntu Oneiric): | |
assignee: | nobody → Martin Pitt (pitti) |
Changed in cups (Ubuntu Oneiric): | |
assignee: | nobody → Martin Pitt (pitti) |
Changed in apparmor (Ubuntu Oneiric): | |
milestone: | none → oneiric-alpha-3 |
Changed in cups (Ubuntu Oneiric): | |
milestone: | none → oneiric-alpha-3 |
Changed in isc-dhcp (Ubuntu Oneiric): | |
milestone: | none → oneiric-alpha-3 |
Changed in cups (Ubuntu Oneiric): | |
status: | Triaged → In Progress |
Changed in cups (Ubuntu Oneiric): | |
status: | In Progress → Fix Committed |
Changed in apparmor (Ubuntu Oneiric): | |
assignee: | Martin Pitt (pitti) → nobody |
summary: |
- AppArmor profiles need updates for /var/run → /run + AppArmor profiles need updates for /var/run → /run and /var/lock → + /run/lock |
Changed in ntp (Ubuntu Oneiric): | |
status: | New → Triaged |
Changed in isc-dhcp (Ubuntu Oneiric): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in ntp (Ubuntu Oneiric): | |
importance: | Undecided → High |
Jamie Strandboge (jdstrand) wrote : Re: AppArmor profiles need updates for /var/run → /run and /var/lock → /run/lock | #3 |
*sigh* This requires a lot of changes.
Changed in libvirt (Ubuntu Oneiric): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | New → Triaged |
Changed in ntp (Ubuntu Oneiric): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
milestone: | none → oneiric-alpha-3 |
Changed in libvirt (Ubuntu Oneiric): | |
importance: | Undecided → High |
milestone: | none → oneiric-alpha-3 |
Changed in bind9 (Ubuntu Oneiric): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in clamav (Ubuntu Oneiric): | |
milestone: | none → oneiric-alpha-3 |
status: | New → Triaged |
Changed in gdm-guest-session (Ubuntu Oneiric): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → High |
milestone: | none → oneiric-alpha-3 |
status: | New → Triaged |
Changed in clamav (Ubuntu Oneiric): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in bind9 (Ubuntu Oneiric): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
milestone: | none → oneiric-alpha-3 |
Changed in clamav (Ubuntu Oneiric): | |
importance: | Undecided → High |
Changed in apparmor (Ubuntu Oneiric): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in mysql-5.1 (Ubuntu Oneiric): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → High |
milestone: | none → oneiric-alpha-3 |
status: | New → Triaged |
Changed in openldap (Ubuntu Oneiric): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → High |
milestone: | none → oneiric-alpha-3 |
status: | New → Triaged |
Changed in apparmor (Ubuntu Oneiric): | |
status: | Triaged → In Progress |
Martin Pitt (pitti) wrote : | #4 |
Seems Jamie already has an update for gdm-guest-session
Changed in gdm-guest-session (Ubuntu Oneiric): | |
assignee: | Jamie Strandboge (jdstrand) → Martin Pitt (pitti) |
assignee: | Martin Pitt (pitti) → Jamie Strandboge (jdstrand) |
status: | Triaged → Fix Committed |
Changed in bind9 (Ubuntu Oneiric): | |
assignee: | Jamie Strandboge (jdstrand) → Martin Pitt (pitti) |
status: | Triaged → In Progress |
Changed in ntp (Ubuntu Oneiric): | |
assignee: | Jamie Strandboge (jdstrand) → Martin Pitt (pitti) |
status: | Triaged → In Progress |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package cups - 1.4.7-1
---------------
cups (1.4.7-1) unstable; urgency=low
* New upstream version.
[ Till Kamppeter ]
* debian/
to the new device enumeration functionality of udev-configure-
This way we do not need to retrigger the printers. Retriggering is only
needed if udev rules change. A fallback to the old bahavior is provided
so that this CUPS package continues to work with older versions of
udev-
[ Martin Pitt ]
* Update patches for new upstream release.
* Drop fix-broken-
* debian/
* Drop debian/
debian/
that again during clean. This is a slightly easier workaround for a
nonexisting "dh_installinit --sysvinit-only" option than the previous
creation of the upstart file with an ubuntu specific dpatch.
* debian/patches/, debian/rules, debian/control, debian/
to source format "3.0 (quilt)" and convert our dpatches to quilt patches.
Drop dpatch build dependency.
* Move Ubuntu specific patches to debian/
apply them when building on Ubuntu. Add "patch" build dependency.
-- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:02:36 +0200
Changed in cups (Ubuntu Oneiric): | |
status: | Fix Committed → Fix Released |
summary: |
AppArmor profiles need updates for /var/run → /run and /var/lock → - /run/lock + /run/lock and /dev/shm -> /run/shm |
Changed in openldap (Ubuntu Oneiric): | |
assignee: | Jamie Strandboge (jdstrand) → Martin Pitt (pitti) |
status: | Triaged → Fix Committed |
Changed in bind9 (Ubuntu Oneiric): | |
status: | In Progress → Fix Committed |
summary: |
AppArmor profiles need updates for /var/run → /run and /var/lock → - /run/lock and /dev/shm -> /run/shm + /run/lock and /dev/shm → /run/shm |
Changed in mysql-5.1 (Ubuntu Oneiric): | |
assignee: | Jamie Strandboge (jdstrand) → Martin Pitt (pitti) |
status: | Triaged → In Progress |
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package ntp - 1:4.2.6.
---------------
ntp (1:4.2.
* debian/
-- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:12:09 +0200
Changed in ntp (Ubuntu Oneiric): | |
status: | In Progress → Fix Released |
Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package bind9 - 1:9.7.3.
---------------
bind9 (1:9.7.
* debian/
-- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:15:45 +0200
Changed in bind9 (Ubuntu Oneiric): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package openldap - 2.4.25-1.1ubuntu2
---------------
openldap (2.4.25-1.1ubuntu2) oneiric; urgency=low
* debian/
-- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:18:02 +0200
Changed in openldap (Ubuntu Oneiric): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package mysql-5.1 - 5.1.54-1ubuntu5
---------------
mysql-5.1 (5.1.54-1ubuntu5) oneiric; urgency=low
* debian/
-- Martin Pitt <email address hidden> Thu, 14 Jul 2011 15:21:19 +0200
Changed in mysql-5.1 (Ubuntu Oneiric): | |
status: | In Progress → Fix Released |
Changed in isc-dhcp (Ubuntu Oneiric): | |
status: | Triaged → In Progress |
Changed in isc-dhcp (Ubuntu Oneiric): | |
status: | In Progress → Fix Committed |
Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package isc-dhcp - 4.1.1-P1-17ubuntu4
---------------
isc-dhcp (4.1.1-
* adjust AppArmor profile for /var/run -> /run (LP: #810270)
-- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 08:26:44 -0500
Changed in isc-dhcp (Ubuntu Oneiric): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package gdm-guest-session - 0.27
---------------
gdm-guest-session (0.27) oneiric; urgency=low
* apparmor/
transition (LP: #810270)
-- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 07:36:57 -0500
Changed in gdm-guest-session (Ubuntu Oneiric): | |
status: | Fix Committed → Fix Released |
Changed in clamav (Ubuntu Oneiric): | |
status: | Triaged → In Progress |
Changed in libvirt (Ubuntu Oneiric): | |
status: | Triaged → In Progress |
Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package clamav - 0.97.1+
---------------
clamav (0.97.1+
* adjust AppArmor profile for /var/run -> /run (LP: #810270)
-- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 08:36:01 -0500
Changed in clamav (Ubuntu Oneiric): | |
status: | Fix Committed → Fix Released |
Changed in clamav (Ubuntu Oneiric): | |
status: | In Progress → Fix Committed |
Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package libvirt - 0.9.2-4ubuntu4
---------------
libvirt (0.9.2-4ubuntu4) oneiric; urgency=low
* debian/
* debian/
/run
- LP: #810270
-- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 08:46:32 -0500
Changed in libvirt (Ubuntu Oneiric): | |
status: | In Progress → Fix Released |
Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package apparmor - 2.6.1-4ubuntu3
---------------
apparmor (2.6.1-4ubuntu3) oneiric; urgency=low
* debian/
/var/lock -> /run/lock and /dev/shm -> /run/shm transition (LP: #810270)
* debian/
/usr/
* debian/
(LP: #776648)
* debian/
/usr/
-- Jamie Strandboge <email address hidden> Thu, 14 Jul 2011 09:39:49 -0500
Changed in apparmor (Ubuntu Oneiric): | |
status: | In Progress → Fix Released |
Jürgen (jurgen-depicker) wrote : | #15 |
I'm affraid it's not fixed yet for mysql Ver 14.14 Distrib 5.1.58, for debian-linux-gnu (x86_64). http://
sudo apparmor_parser -R /etc/apparmor.
sudo ln -s /etc/apparmor.
sudo service mysql start
mysql start/running, process 3024
Before doing this, I got this from dmesg:
type=1400 audit(131913549
[84848.322283] type=1400 audit(131913549
[84853.637467] init: mysql main process (2708) terminated with status 1
[84853.637505] init: mysql main process ended, respawning
Jamie Strandboge (jdstrand) wrote : | #16 |
Jurgen, this sounds like you may have not accepted the changes to /etc/apparmor.
Jürgen (jurgen-depicker) wrote : | #17 |
I'm sorry I forgot to mention that this is on a blank new install. Unfortunately, so I'll give it a try and file that bug!
cideous (mr-nightmare) wrote : | #18 |
Continously I get errors of the form:
[ 4961.366862] type=1400 audit(132958722
Is this because this bug is still unsolved for dhclient, or is this because of the way setup my filesystem. Note that I made /var a symlink to a different partition. My root filesystem is an SSD and I followed the recommendation not to have var on the SSD. So is this just because I'm using a symlink here and I shouldn't have used it here?
Kees Cook (kees) wrote : | #19 |
If filesystem paths have been relocated, please use /etc/apparmor.
Thomas Tanghus (tanghus) wrote : | #20 |
Example:
Jul 14 11:27:50 localhost kernel: [ 8660.404355] type=1400 audit(131063567 0.401:12064) : apparmor="DENIED" operation="chown" parent=1 profile= "/usr/sbin/ cupsd" name="/run/cups/" pid=6276 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 0.401:12065) : apparmor="DENIED" operation="chown" parent=1 profile= "/usr/sbin/ cupsd" name="/ run/cups/ certs/" pid=6276 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 0.441:12066) : apparmor="DENIED" operation="mknod" parent=1 profile= "/usr/sbin/ cupsd" name="/ run/cups/ printcap" pid=6276 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 0.441:12067) : apparmor="DENIED" operation="mknod" parent=1 profile= "/usr/sbin/ cupsd" name="/ run/cups/ cups.sock" pid=6276 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 0.441:12068) : apparmor="DENIED" operation="mknod" parent=1 profile= "/usr/sbin/ cupsd" name="/ run/cups/ cupsd.pid" pid=6276 comm="cupsd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 14 11:27:50 localhost kernel: [ 8660.404469] type=1400 audit(131063567
Jul 14 11:27:50 localhost kernel: [ 8660.443356] type=1400 audit(131063567
Jul 14 11:27:50 localhost kernel: [ 8660.445231] type=1400 audit(131063567
Jul 14 11:27:50 localhost kernel: [ 8660.445362] type=1400 audit(131063567