Hi Kurt, On Sun, Aug 05, 2018 at 11:58:38AM +0200, Kurt Roeckx wrote:
Package: chrony Version: 3.3-2Hi, Why is the AppArmor profile put into complain mode?
To avoid breaking chrony installations due to our (at the time) immature AppArmor profile for users upgrading to chrony 3.2-2. For new installs the profile is placed into “enforce” mode though.
The preinst has this:
case "$1" in
upgrade)
APP_PROFILE="usr.sbin.chronyd"
APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
# force-complain on upgrade from pre-shipped profile
if dpkg --compare-versions "$2" lt "3.2-2" ; then
mkdir -p `dirname "$APP_COMPLAIN"` 2>/dev/null || true
ln -sf "$APP_CONFFILE" "$APP_COMPLAIN"
fi
;;
What pre-shipped profiles is this about?
Pre-shipped profile corresponds to any chrony version lacking an AppArmor profile (i.e. chrony versions < 3.2-2).
It seems to trigger for every upgraded, and I don't understand why.
Hope the above makes things clearer‽
Kurt
Warmly, Vincent
signature.asc
Description: PGP signature
