Comment 0 for bug 748656

Problem was discovered in both upstream kernel and in Ubuntu Natty beta kernels. The problem is a regression from Ubuntu Maverick and earlier releases.

When creating a profile for openssh-server, sshd, using the standard AppArmor profile development tools, a _partial_ profile is created and loaded correctly. When trying to iterate the development of the profile, I found that I was unable to log in to the machine via sshd, even though the AppArmor profile had flags=(complain,) at the beginning.

Removing the profile using apparmor_parser --remove /etc/apparmor.d/usr.sbin.sshd allowed the logins to succeed. Reloading the profile and restarting sshd recreates the problem.

The logfiles don't show any REJECT messages; a handful of ALLOWED messages are printed early on, but then _no_ log entries are generated.

The client quits with "broken pipe" errors.