Public bug reported:
Binary package hint: apparmor
This appears new to karmic, and I'm seeing it on the x86 port. On boot,
profiles symlinked into the ignore directories don't get ignored, they
get set to complain mode. A "service apparmor reload" or "service
apparmor restart" doesn't set them to ignore properly, you need to do a
full "service apparmor stop && service apparmor start" to get it to
properly ignore the rules.
I see this consistently with the enforcement rules on Dovecot, as my
maildirs are in ~/mail for each user, and this throws a lot of errors in
syslog with the default apparmor ruleset.
aa-status on boot shows:
apparmor module is loaded.
22 profiles are loaded.
10 profiles are in enforce mode.
/usr/sbin/clamd
/usr/bin/freshclam
/usr/sbin/cupsd
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/sbin/avahi-daemon
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/tcpdump
/usr/lib/cups/backend/cups-pdf
/usr/sbin/mysqld
/sbin/dhclient3
12 profiles are in complain mode.
/usr/sbin/traceroute
/bin/ping
/usr/sbin/mdnsd
/usr/sbin/ntpd
/usr/sbin/identd
/sbin/klogd
/usr/sbin/nmbd
/usr/sbin/dnsmasq
/sbin/syslogd
/sbin/syslog-ng
/usr/sbin/nscd
/usr/sbin/dovecot
15 processes have profiles defined.
6 processes are in enforce mode :
/usr/sbin/avahi-daemon (1163)
/usr/sbin/cupsd (3094)
/usr/sbin/mysqld (2652)
/usr/sbin/clamd (2048)
/usr/sbin/avahi-daemon (1164)
/usr/bin/freshclam (2146)
9 processes are in complain mode.
/usr/sbin/dovecot (3015)
/usr/sbin/dovecot (3007)
/usr/sbin/dovecot (3005)
/usr/sbin/nmbd (2852)
/usr/sbin/dovecot (3685)
/usr/sbin/dovecot (3672)
/usr/sbin/ntpd (1067)
/usr/sbin/dovecot (3093)
/usr/sbin/dovecot (3671)
0 processes are unconfined but have a profile defined.
This is the same after a service reload and a service restart. After a
full service stop/start cycle, it shows:
apparmor module is loaded.
22 profiles are loaded.
10 profiles are in enforce mode.
/usr/sbin/clamd
/usr/bin/freshclam
/usr/sbin/cupsd
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/sbin/avahi-daemon
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/tcpdump
/usr/lib/cups/backend/cups-pdf
/usr/sbin/mysqld
/sbin/dhclient3
12 profiles are in complain mode.
/usr/sbin/traceroute
/bin/ping
/usr/sbin/mdnsd
/usr/sbin/ntpd
/usr/sbin/identd
/sbin/klogd
/usr/sbin/nmbd
/usr/sbin/dnsmasq
/sbin/syslogd
/sbin/syslog-ng
/usr/sbin/nscd
/usr/sbin/dovecot
9 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
9 processes are unconfined but have a profile defined.
/usr/sbin/cupsd (3094)
/usr/sbin/mysqld (2652)
/usr/sbin/clamd (2048)
/usr/sbin/dovecot (3005)
/usr/sbin/avahi-daemon (1163)
/usr/sbin/nmbd (2852)
/usr/sbin/ntpd (1067)
/usr/sbin/avahi-daemon (1164)
/usr/bin/freshclam (2146)
My config has all the dovecot profiles symlinked into the "ignore"
directory, of course.
ProblemType: Bug
Architecture: i386
Date: Mon Dec 14 15:18:41 2009
DistroRelease: Ubuntu 9.10
Package: apparmor 2.3.1+1403-0ubuntu27.2 [modified: sbin/apparmor_parser]
ProcEnviron:
SHELL=/bin/bash
PATH=(custom, no user)
LANG=en_CA.UTF-8
ProcVersionSignature: Ubuntu 2.6.31-16.53-generic-pae
SourcePackage: apparmor
Uname: Linux 2.6.31-16-generic-pae i686
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386
--
apparmor doesn't respect ignore directory on boot
https://bugs.launchpad.net/bugs/496770
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
