DEP8 error: access to certificates is blocked by apparmor
Bug #2008825 reported by
Andreas Hasenack
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php-net-ldap2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
php-net-ldap2 in version 2.2.1-1 introduced[1] a DEP8 test which involves starting an openldap server with TLS enabled.
The certificates the test creates are stored in $AUTOPKGTEST_TMP, and access to them is blocked via the slapd apparmor profile that Ubuntu has:
[ter fev 28 17:54:03 2023] audit: type=1400 audit(167761764
1. https:/
Related branches
~ahasenack/ubuntu/+source/php-net-ldap2:lunar-php-net-ldap2-apparmor-dep8
Merged
into
ubuntu/+source/php-net-ldap2:ubuntu/devel
at
revision 163c47f2cd0134fc23b30d14e3776f9fe4dce7db
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 82 lines (+44/-1)3 files modifieddebian/changelog (+8/-0)
debian/control (+2/-1)
debian/tests/upstream-testsuite (+34/-0)
To post a comment you must log in.
A quick fix: tests/upstream- testsuite b/debian/ tests/upstream- testsuite tests/upstream- testsuite tests/upstream- testsuite
diff --git a/debian/
index 161feb7..d7e1a7c 100755
--- a/debian/
+++ b/debian/
@@ -12,6 +12,20 @@ for ((i = 0; i < 10; i++)); do
sleep 1
done
+apparmor_ profile= "/etc/apparmor. d/usr.sbin. slapd" profile} " ]; then d/local/ usr.sbin. slapd <<EOF TMP}/** rwk, profile} " || { SETUP_OPENLDAP_ TESTCASE. txt and tests/ldapconfi g.ini.dist ADDRESS= "127.0. 0.1"
+if [ -f "${apparmor_
+ if aa-status --enabled 2>/dev/null; then
+ # Adjust apparmor so slapd can read the heimdal master key
+ cat >> /etc/apparmor.
+ ${AUTOPKGTEST_
+EOF
+ apparmor_parser -r -W -T "${apparmor_
+ # this failure may happen on armhf in Canonical infrastructure, see #1991141
+ echo "Failed to reload the ${apparmor_profile} apparmor profile, continuing anyway."
+ }
+ fi
+fi
+
# see tests/HOWTO_
SLAPD_
SLAPD_PORT=389
Tests still fail, though, but this time it's not because of apparmor. There are no other DENIED messages in the apparmor logs.
I note that the debian tests are also failing[1], but it migrated because the baseline for this new test is a failure, so no regression.
1. https:/ /ci.debian. net/packages/ p/php-net- ldap2/unstable/ amd64/