Ubuntu
php-net-ldap2 package

DEP8 error: access to certificates is blocked by apparmor

Bug #2008825 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php-net-ldap2 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

php-net-ldap2 in version 2.2.1-1 introduced[1] a DEP8 test which involves starting an openldap server with TLS enabled.

The certificates the test creates are stored in $AUTOPKGTEST_TMP, and access to them is blocked via the slapd apparmor profile that Ubuntu has:

[ter fev 28 17:54:03 2023] audit: type=1400 audit(1677617643.742:1644): apparmor="DENIED" operation="open" class="file" namespace="root//lxd-l-dep8_<var-snap-lxd-common-lxd>" profile="/usr/sbin/slapd" name="/tmp/autopkgtest.YThfJn/autopkgtest_tmp/ldap.pem" pid=444898 comm="slapd" requested_mask="r" denied_mask="r" fsuid=1000107 ouid=1000000

1. https://launchpad.net/ubuntu/+source/php-net-ldap2/2.2.1-1

Related branches

~ahasenack/ubuntu/+source/php-net-ldap2:lunar-php-net-ldap2-apparmor-dep8
git-ubuntu bot: Approve
Sergio Durigan Junior (community): Approve
Canonical Server Reporter: Pending requested
Diff: 82 lines (+44/-1)
3 files modified
debian/changelog (+8/-0)
debian/control (+2/-1)
debian/tests/upstream-testsuite (+34/-0)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

A quick fix:
diff --git a/debian/tests/upstream-testsuite b/debian/tests/upstream-testsuite
index 161feb7..d7e1a7c 100755
--- a/debian/tests/upstream-testsuite
+++ b/debian/tests/upstream-testsuite
@@ -12,6 +12,20 @@ for ((i = 0; i < 10; i++)); do
     sleep 1
 done

+apparmor_profile="/etc/apparmor.d/usr.sbin.slapd"
+if [ -f "${apparmor_profile}" ]; then
+ if aa-status --enabled 2>/dev/null; then
+ # Adjust apparmor so slapd can read the heimdal master key
+ cat >> /etc/apparmor.d/local/usr.sbin.slapd <<EOF
+ ${AUTOPKGTEST_TMP}/** rwk,
+EOF
+ apparmor_parser -r -W -T "${apparmor_profile}" || {
+ # this failure may happen on armhf in Canonical infrastructure, see #1991141
+ echo "Failed to reload the ${apparmor_profile} apparmor profile, continuing anyway."
+ }
+ fi
+fi
+
 # see tests/HOWTO_SETUP_OPENLDAP_TESTCASE.txt and tests/ldapconfig.ini.dist
 SLAPD_ADDRESS="127.0.0.1"
 SLAPD_PORT=389

Tests still fail, though, but this time it's not because of apparmor. There are no other DENIED messages in the apparmor logs.

I note that the debian tests are also failing[1], but it migrated because the baseline for this new test is a failure, so no regression.

1. https://ci.debian.net/packages/p/php-net-ldap2/unstable/amd64/

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php-net-ldap2 - 2.2.1-1ubuntu2

---------------
php-net-ldap2 (2.2.1-1ubuntu2) lunar; urgency=medium

  * d/t/control: add allow-stderr restriction to the upstream-testsuite
    test because of the apparmor warning message on Ubuntu's armhf DEP8
    infrastructure where the profile cannot be replaced.

 -- Andreas Hasenack <email address hidden> Fri, 03 Mar 2023 09:33:58 -0300

Changed in php-net-ldap2 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.