Bug#893005: bind9: incorrect apparmor profile name in d/rules

Thu, 15 Mar 2018 06:39:56 -0700 

Package: bind9
Version: 9.11.2.P1-1
Severity: normal

Dear Maintainer,

bind9 specifies an apparmor profile like this in d/rules:

    dh_apparmor -pbind9 --profile-name=usr.bin.named


But the profile itself is usr.sbin.named:

    debian/extras/apparmor.d/usr.sbin.named

This generates an incorrect postinst snippet and the local/ include bit is
not generated:

(...)
if [ "$1" = "configure" ]; then
    APP_PROFILE="/etc/apparmor.d/usr.bin.named"
    if [ -f "$APP_PROFILE" ]; then
        # Add the local/ include
        LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.bin.named"

        test -e "$LOCAL_APP_PROFILE" || {
            mkdir -p `dirname "$LOCAL_APP_PROFILE"`
            install --mode 644 /dev/null "$LOCAL_APP_PROFILE"
        }
(...)

APP_PROFILE with the name usr.bin.named does not exist, and the rest of the
code isn't run.

Apparmor fails to reload because of the missing local/ file:

# systemctl status apparmor.service
● apparmor.service - AppArmor initialization
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor
preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-03-15 13:22:40 UTC; 4s
ago
     Docs: man:apparmor(7)
           http://wiki.apparmor.net/
  Process: 1250 ExecStart=/etc/init.d/apparmor start (code=exited,
status=123)
 Main PID: 1250 (code=exited, status=123)

Mar 15 13:22:40 touching-fish systemd[1]: Starting AppArmor
initialization...
Mar 15 13:22:40 touching-fish apparmor[1250]: Starting AppArmor
profiles:AppArmor parser error for /etc/apparmor.d/usr.sbin.named in
/etc/apparmor.d/usr.sbin.named at line 69: Could not open 'local/
usr.sbin.name
d'
Mar 15 13:22:40 touching-fish apparmor[1250]: AppArmor parser error for
/etc/apparmor.d/usr.sbin.named in /etc/apparmor.d/usr.sbin.named at line
69: Could not open 'local/usr.sbin.named'
Mar 15 13:22:40 touching-fish apparmor[1250]:  failed!
Mar 15 13:22:40 touching-fish systemd[1]: apparmor.service: Main process
exited, code=exited, status=123/n/a
Mar 15 13:22:40 touching-fish systemd[1]: apparmor.service: Failed with
result 'exit-code'.
Mar 15 13:22:40 touching-fish systemd[1]: Failed to start AppArmor
initialization.

Reply via email to