[Bug 202161] [NEW] apparmor broken after reboot on i386

Jamie Strandboge Fri, 14 Mar 2008 07:15:29 -0700

Public bug reported:

Binary package hint: apparmor


This problem was witnessed in two separate hardy/386 virtual machines in
kvm with the -386, -generic and -server kernels on the guest.  This goes
back to -7-386 at least (other kernel flavors were tested only with
-12). Host OS is amd64 on up to date hardy.  Up to date hardy/amd64
guest (only -12-server kernel was tested) appears to work fine.

** Details **
After rebooting with profiles in enforcing mode, apparmor is broken in that it 
enforces things that it shouldn't.  With this entry in the profile:
/var/lib/ldap/* rw,

On boot, slapd fails to start with this in kern.log:
Mar 14 11:56:16 hardy-386 kernel: [   32.034060] audit(1205495776.396:2): 
operation="file_mmap" request_mask="mrw::" denied_mask="m::" 
name="/var/lib/ldap/__db.001" pid=3745 profile="/usr/sbin/slapd" 
namespace="default"

But if I login and do '/etc/init.d/slapd start', then slapd starts
without errors or apparmor messages.

aa-status after boot, but before running '/etc/init.d/slapd start' after 
logging in:
$ sudo aa-status
[sudo] password for james: 
apparmor module is loaded.
2 profiles are loaded.
2 profiles are in enforce mode.
   /usr/sbin/slapd
   /usr/sbin/named
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode :
   /usr/sbin/named (3932) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

aa-status after boot and after running '/etc/init.d/slapd start' after logging 
in:
$ sudo aa-status
apparmor module is loaded.
2 profiles are loaded.
2 profiles are in enforce mode.
   /usr/sbin/slapd
   /usr/sbin/named
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode :
   /usr/sbin/named (3932) 
   /usr/sbin/slapd (4101) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

** Steps to reproduce **
1. Boot an up to date hardy on i386

2. apt-get install slapd

3. reboot (slapd does not start with above error)

4. /etc/init.d/slapd start (this time it works and no errors)

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
apparmor broken after reboot on i386
https://bugs.launchpad.net/bugs/202161
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 202161] [NEW] apparmor broken after reboot on i386

Reply via email to