Hi Simon && Christian Thanks for providing this report!
I was wondering... isn't this behaviour to be performed as a postrm script by the package that carries the original apparmor profile, in this case, ntp?
If we think about this for a moment, what we will end up with might be removing and reinstalling an apparmor profile on every openntpd's upgrade, which seems odd, instead of prunning ntp's currently attach kernel policy running.
This seems also a good idea from the ntp's perspective, since It helps restoring the system on a proper state (unloading stuff that is not longer needed to be load such us a kernel loaded apparmor profile).
I might be missing something here, so please excuse and clarify. Cheers, Dererk On 23/11/17 19:02, Simon Deziel wrote:
Package: openntpd Version: 1:6.2p3-1 Severity: low Hi, When someone purges the ntp package to then install openntpd, it is possible for ntp's Apparmor profile to remain loaded in the kernel after the corresponding /etc/apparmor.d/ file was removed. This prevents openntpd's from working or even detecting the old profile's file. For all the details, please see the original bug as reported to Ubuntu [1]. Please consider applying the patch from Christian Ehrhardt [2] to ensure a smoother transition from ntp to openntpd. Thank you, Simon [1] https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1689585 [2] https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1689585/comments/13
-- BOFH excuse #154: You can tune a file system, but you can't tune a fish (from most tunefs man pages)