apparmor cache files not regenerated on upgrade
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Kees Cook | ||
Karmic |
Fix Released
|
Medium
|
Kees Cook | ||
Lucid |
Fix Released
|
Medium
|
Kees Cook |
Bug Description
impact: people upgrading from Jaunty to Karmic will see some services fail to start due to outdated profiles not correctly being loaded (specifically, this happens for bind9).
how the bug has been addressed: backported upstream fixes that use ctime instead of mtime when examining profiles for if they are out of date compared to the cache files.
regression potential: low: the change is small, there are upstream tests, and the test case below demonstrates the fix.
TEST CASE: (all commands should exit 0: the "touch" will rewind "modified" but not "changed" time, so a fixed parser will still regenerate the cache.)
Run with sudo:
#!/bin/bash
set -e
cat >/etc/apparmor.
#include <tunables/global>
/tmp/test {
#include <abstractions/base>
}
EOF
sleep 1
service apparmor reload
test /etc/apparmor.
THEN=$(mktemp -t now-XXXXXX)
sleep 1
touch -t 200901010101 /etc/apparmor.
apparmor_parser -r -W /etc/apparmor.
set +e
test /etc/apparmor.
rc=$?
set -e
apparmor_parser -R /etc/apparmor.
rm /etc/apparmor.
if [ $rc -ne 0 ]; then
echo FAIL
exit 1
fi
echo ok
Original bug description:
Binary package hint: bind9
If you have installed apparmor, and install bind9, this fails to start complaining about access denied (openssl.cnf file the first time, named.pid in other configurations).
The problem is that bind9 doesn't install an apparmor profile.
If you install apparmor-profiles packages, the problem solves.
Then, maybe it has to have a dependency (or install an apparmor bind profile specifically).
In my case, it has been detecting after upgrading from 9.04 to 9.10.
Related branches
Changed in bind9 (Ubuntu): | |
status: | New → Confirmed |
summary: |
- bind9 missed a dependency with apparmor-profiles + bind9 jaunty to karmic upgrade causes initial apparmor audit with + openssl.cnf, seems fixed by installing apparmor-profiles but not really |
summary: |
- bind9 apparmor cache files not regenerated on upgrade + apparmor cache files not regenerated on upgrade |
Changed in apparmor (Ubuntu): | |
status: | Triaged → In Progress |
description: | updated |
Changed in apparmor (Ubuntu): | |
status: | In Progress → Fix Committed |
description: | updated |
Changed in apparmor (Ubuntu Karmic): | |
status: | New → Fix Committed |
importance: | Undecided → Medium |
Changed in apparmor (Ubuntu Lucid): | |
status: | Fix Committed → Fix Released |
Changed in apparmor (Ubuntu Karmic): | |
assignee: | nobody → Kees Cook (kees) |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
Thank you for taking the time to report this bug and helping to make Ubuntu better. To help fix the bug, please follow the instructions found in https:/ /wiki.ubuntu. com/DebuggingAp parmor. This will greatly help us in tracking down your problem.