** Changed in: openntpd (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1689585
Title:
ntp doesn't unload its apparmor profile on pu
Nothing to do on NTP here, linked up the relayed Debian bug on openntpd
- thanks Simon!
** Also affects: openntpd (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882556
Importance: Unknown
Status: Unknown
** Changed in: ntp (Ubuntu)
Status: Confirmed => Won't Fi
Thanks for the patch Christian, I relayed it in https://bugs.debian.org
/cgi-bin/bugreport.cgi?bug=882556
** Bug watch added: Debian Bug tracker #882556
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882556
--
You received this bug notification because you are a member of Ubuntu
Touch seed
How about suggesting the following to openntpd in Debian then?
Simon would you be so kind and open a bug there if that would find a consensus?
diff --git a/debian/openntpd.preinst b/debian/openntpd.preinst
index 4cb3147..3e55947 100644
--- a/debian/openntpd.preinst
+++ b/debian/openntpd.preinst
@@
"Asking someone to know about that:
echo -n "" > /sys/kernel/security/apparmor/.remove
Is asking too much IMHO and increases the friction between sysadmins and
Apparmor in general."
Of course. I listed this as something that could be considered for the
openntpd/ntpd case, not for a sysadmin. T
> Sorry, I meant it's the service's job to properly/forcefully stop a
> daemon. I agree that killing processes in postrm is dangerous.
I agree that kill -9 isn't the way to go (it was meant as a rhetoric question),
but there are still valid reasons why a daemon doesn't get stopped in postrm:
- th
On 2017-05-12 03:34 PM, Seth Arnold wrote:
> On Fri, May 12, 2017 at 06:56:35PM -, Simon Déziel wrote:
>> If purging a package doesn't kill the running process, that's a
>> packaging bug, not something Apparmor should try to paper over, IMHO.
>
> Yikes, package pre/post inst/rm scripts already
On Fri, May 12, 2017 at 06:56:35PM -, Simon Déziel wrote:
> If purging a package doesn't kill the running process, that's a
> packaging bug, not something Apparmor should try to paper over, IMHO.
Yikes, package pre/post inst/rm scripts already do way too many things.
Deciding what processes to
On 2017-05-12 02:15 PM, Christian Boltz wrote:
> You are technically correct that the still-loaded profile doesn't
> match a clean uninstall. However, I have a different opinion on this
> and thing keeping the profile loaded is the better choice.
>
> Unloading a profile means removing the confinem
Christian is right and this is precisely why dh_apparmor intentionally
does not unload the profile. Marking the apparmor task as Won't Fix
since this has been discussed several times in the past (if apparmor
upstream wants to revisit, we can open the bug).
The ntp package is still in a position to
You are technically correct that the still-loaded profile doesn't match
a clean uninstall. However, I have a different opinion on this and thing
keeping the profile loaded is the better choice.
Unloading a profile means removing the confinement from running
processes. So if a process is still runn
On 2017-05-12 01:48 AM, ChristianEhrhardt wrote:
> shouldn't dh_apparmor unload it just as it loads it?
Exactly, I would have assumed that it was dh_apparmor's job. Curious to
hear from the Apparmor folks. Thanks for looking into this.
Simon
--
You received this bug notification because you are
>From postinst of dh_apparmor:
# Reload the profile, including any abstraction updates
if aa_is_enabled; then
apparmor_parser -r -T -W "$APP_PROFILE" || true
fi
So if dh_apparmor generates the snippet to load correctly, shouldn't it
(not only on purge but on rem
This is the section it created on postrm:
# Automatically added by dh_apparmor
if [ "$1" = "purge" ] && ! [ -e "/etc/apparmor.d/usr.sbin.ntpd" ] ; then
rm -f "/etc/apparmor.d/disable/usr.sbin.ntpd" || true
rm -f "/etc/apparmor.d/force-complain/usr.sbin.ntpd" || true
rm -f "/etc/apparm
Hi Simon,
thank you for your report - it indeed should unload the profile.
I wonder thou as it uses:
dh_apparmor --profile-name=usr.sbin.ntpd -pntp
Which I thought should handle load and unload in the generated sections.
Commenting on that once I prepped my text ...
** Changed in: ntp (Ubunt
15 matches
Mail list logo
