[pkg-apparmor] Bug#822349: does not enable policy if it's the system's first

Peter Palfrader weasel at debian.org
Sat Apr 23 17:57:37 UTC 2016 

Package: dh-apparmor
Version: 2.10-4
Severity: important

If a package ships an apparmor policy, and it's the first policy on the
system, then it's not getting enabled during postinst configure, causing
the service to fail to start:

} root at sid:~# aa-status
} apparmor module is loaded.
} 0 profiles are loaded.
} 0 profiles are in enforce mode.
} 0 profiles are in complain mode.
} 0 processes have profiles defined.
} 0 processes are in enforce mode.
} 0 processes are in complain mode.
} 0 processes are unconfined but have a profile defined.
} root at sid:~# apt-get install tor
} Reading package lists... Done
} Building dependency tree       
} Reading state information... Done
} The following additional packages will be installed:
}   tor-geoipdb
} Suggested packages:
}   mixmaster torbrowser-launcher socat tor-arm obfsproxy obfs4proxy
} The following NEW packages will be installed:
}   tor tor-geoipdb
} 0 upgraded, 2 newly installed, 0 to remove and 46 not upgraded.
} Need to get 0 B/2311 kB of archives.
} After this operation, 8707 kB of additional disk space will be used.
} Do you want to continue? [Y/n] 
} Selecting previously unselected package tor.
} (Reading database ... 26574 files and directories currently installed.)
} Preparing to unpack .../tor_0.2.8.2-alpha-1_amd64.deb ...
} Unpacking tor (0.2.8.2-alpha-1) ...
} Selecting previously unselected package tor-geoipdb.
} Preparing to unpack .../tor-geoipdb_0.2.8.2-alpha-1_all.deb ...
} Unpacking tor-geoipdb (0.2.8.2-alpha-1) ...
} Processing triggers for man-db (2.7.5-1) ...
} Processing triggers for systemd (229-4) ...
} Setting up tor (0.2.8.2-alpha-1) ...
} Something or somebody made /var/lib/tor disappear.
} Creating one for you again.
} Something or somebody made /var/log/tor disappear.
} Creating one for you again.
} Setting up tor-geoipdb (0.2.8.2-alpha-1) ...
} Processing triggers for systemd (229-4) ...
} root at sid:~# aa-status
} apparmor module is loaded.
} 0 profiles are loaded.
} 0 profiles are in enforce mode.
} 0 profiles are in complain mode.
} 0 processes have profiles defined.
} 0 processes are in enforce mode.
} 0 processes are in complain mode.
} 0 processes are unconfined but have a profile defined.


the journal has this to say:
| Apr 23 19:53:20 sid systemd[1091]: tor at default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory
| Apr 23 19:53:20 sid systemd[1]: tor at default.service: Main process exited, code=exited, status=231/APPARMOR

Starting works after a reboot or after 'service apparmor restart'.

I think the problem is that, without any policies loaded, aa-status
enabled exits with exit code 2, and thus the postinst doesn't enable the
service:

>From the postinst:

|       if aa-status --enabled 2>/dev/null; then
|           apparmor_parser -r -T -W "$APP_PROFILE" || true
|       fi


This made it work:

--- /var/lib/dpkg/info/tor.postinst     2016-04-23 14:01:01.000000000 +0200
+++ ./tor.postinst      2016-04-23 19:50:17.560787075 +0200
@@ -165,7 +165,9 @@
         }
 
         # Reload the profile, including any abstraction updates
-        if aa-status --enabled 2>/dev/null; then
+        rc=0
+        aa-status --enabled 2>/dev/null || rc=$?
+        if [ "$rc" = 0 ] || [ "$rc" = 2 ]; then
             apparmor_parser -r -T -W "$APP_PROFILE" || true
         fi
     fi


Please consider this change.

Cheers,
weasel

More information about the pkg-apparmor-team mailing list