apparmor parser in precise does not support block_suspend capability (needed for backported kernels)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Marc Deslauriers | ||
Saucy |
Fix Released
|
Undecided
|
Unassigned | ||
cups (Ubuntu) |
Confirmed
|
Undecided
|
Marc Deslauriers |
Bug Description
When running an up-to-date precise system with a linux-image-
the precise verion of apparmor will deny all attempts of apparmored apps to call the block_suspend system call:
For example:
type=AVC msg=audit(
But it is also impossible to add block_suspend to the apparmor profiles, because the AppArmor parser does not know about it:
Setting /usr/sbin/cupsd to enforce mode.
Warning from stdin (line 1): /sbin/apparmor_
AppArmor parser error, in stdin line 24: Invalid capability block_suspend.
This seems to make it impossible to have apparmor not deny block suspend when using an LTS HWE kernel.
This seems to be related to bug #1052098.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.7
ProcVersionSign
Uname: Linux 3.8.0-25-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.3
Architecture: amd64
Date: Wed Jul 10 12:48:24 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
KernLog: Jul 10 12:34:08 gumdrop kernel: [580960.424225] SGI XFS with ACLs, security attributes, realtime, large block/inode numbers, no debug enabled
MarkForUpload: True
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
audit.log: Error: [Errno 13] Permission denied: '/var/log/
Changed in cups (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apparmor (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
This is actually bug #1058356 but for precise with a raring kernel. The fix for precise is to adjust upstart in the same way we did for quantal's 1.5-0ubuntu9