tags 679597 + patch thanks Hi,
John Johansen wrote (30 Jun 2012 07:30:20 GMT) : > Fix the parser so it checks for the presence of the network feature in the > compatibility interface. Previously it was assuming that if the compatibility > interface was present that network rules where also present, this is not > necessarily true and causes apparmor to break when only the compatibility > patch is applied. Thanks for this patch. It works fine for me with the current sid kernel (linux-image-3.2.0-3-amd64 3.2.21-3). However, on a kernel that both the compat + network patches applied (that is, not the current sid kernel), installing the apparmor userspace tools with this patch applied results in reloading all profiles (I guess this is normal postinst operation), which triggers tons of such error messages: Warning from /etc/apparmor.d/usr.bin.evince (/etc/apparmor.d/usr.bin.evince line 148): profile sanitized_helper network rules not enforced And then, it seems like the applications covered by these profile are denied access to the network entirely: type=1400 audit(1341176452.889:291): apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/ntpd" pid=6748 comm="ntpd" family="inet" sock_type="dgram" protocol=0 (I've not tried rebooting and see what happens, though.) So I'm not too sure the network feature detection was fixed entirely. But well, in any case, the patch fixes the actual, current bug, which is great! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
