Control: tag -1 + upstream Felix C. Stegerman: > I noticed that my openntpd service stopped working after apparmor was > enabled in sid by default. I finally traced the problem to a > remaining /etc/apparmor.d/usr.sbin.ntpd.dpkg-remove without 'x' > permissions for /usr/sbin/ntpd. It did not immediately occur to me > that whilst the /etc/apparmor.d/usr.sbin.ntpd config seemed fine, it > was being overruled by an old .dpkg-remove.
Good catch! > Not sure what the best way to fix this is, but it seems to me that > apparmor should probably not load any *.dpkg-remove. Agreed. I've asked someone who prepared a similar merge request recently if they would be fine with extending it to cover *.dpkg-remove too: https://gitlab.com/apparmor/apparmor/merge_requests/86#note_65780436 If they don't want to, perhaps you could do it yourself? https://gitlab.com/apparmor/apparmor/merge_requests/86/diffs should tell you exactly what should be changed and where :) Cheers!