Problem was discovered in both upstream kernel and in Ubuntu Natty beta kernels. The problem is a regression from Ubuntu Maverick and earlier releases.
When creating a profile for openssh-server, sshd, using the standard AppArmor profile development tools, a _partial_ profile is created and loaded correctly. When trying to iterate the development of the profile, I found that I was unable to log in to the machine via sshd, even though the AppArmor profile had flags=(complain,) at the beginning.
Removing the profile using apparmor_parser --remove /etc/apparmor.d/usr.sbin.sshd allowed the logins to succeed. Reloading the profile and restarting sshd recreates the problem.
The logfiles don't show any REJECT messages; a handful of ALLOWED messages are printed early on, but then _no_ log entries are generated.
Problem was discovered in both upstream kernel and in Ubuntu Natty beta kernels. The problem is a regression from Ubuntu Maverick and earlier releases.
When creating a profile for openssh-server, sshd, using the standard AppArmor profile development tools, a _partial_ profile is created and loaded correctly. When trying to iterate the development of the profile, I found that I was unable to log in to the machine via sshd, even though the AppArmor profile had flags=(complain,) at the beginning.
Removing the profile using apparmor_parser --remove /etc/apparmor. d/usr.sbin. sshd allowed the logins to succeed. Reloading the profile and restarting sshd recreates the problem.
The logfiles don't show any REJECT messages; a handful of ALLOWED messages are printed early on, but then _no_ log entries are generated.
The client quits with "broken pipe" errors.