AppArmor fails to load policy with newer network rules

Bug #639758 reported by John Johansen on 2010-09-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
John Johansen

Bug Description

If newer userspace tools are used to load policy on an older kernel, the policy load can fail if the tools were built against a release that has information about newer networking protocols. This occurs because the tools create extra rules in the policy to handle the newer networking protocols, but the older kernel doesn't accept the larger networking tables containing the extra rules.

This is a problem in two cases, upgrades and a user dual booting newer and older kernels (eg. Maverick on Lucid). For upgrades the newer userspace tools will be installed and load policy before the user reboots to the new kernel, resulting in failure messages and new policy not being loaded (which could lead to any upgraded applications failing as old policy is not removed and is still enforced). For the dual boot case the newer AppArmor compiler is required to support the newer kernel, but it is subject to the same problems as the upgrade case except that policy may not load on boot resulting in no AppArmor protection.

Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
kernel-janitor (kernel-janitor) wrote :
Changed in linux (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers