[pkg-apparmor] Bug#879590: apparmor breaks all kinds of stuff
Christoph Anton Mitterer
calestyo at scientia.net
Thu Nov 2 16:04:53 UTC 2017
On Wed, 2017-11-01 at 07:40 +0100, intrigeri wrote:
> Indeed, it would have been nice. Can you please report a bug against
> src:linux about it?
I already had:
#880441
> Ouch! Sorry about that. May you please report dedicated bugs about
> these, attaching the AppArmor log denials?
I saw these:
Nov 1 00:30:23 heisenberg systemd[18635]: tor at default.service: Failed to prepare AppArmor profile change to system_tor: No such file or directory
Nov 1 00:30:23 heisenberg systemd[18635]: tor at default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory
Nov 1 00:30:23 heisenberg kernel: [ 6315.674076] audit: type=1400 audit(1509492623.442:7): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=18635 comm="(tor)"
Nov 1 00:30:23 heisenberg systemd[1]: tor at default.service: Main process exited, code=exited, status=231/APPARMOR
Nov 1 00:30:23 heisenberg systemd[1]: tor at default.service: Failed with result 'exit-code'.
Nov 1 00:30:23 heisenberg systemd[1]: Failed to start Anonymizing overlay network for TCP.
> See https://wiki.debian.org/AppArmor/Reportbug
>
> > Please undo (or at least tell users what happens and what they can
> > do
> > about it), until these issues are resolved.
>
> Well, there's some kind of catch-22 here: apparently enabling
> AppArmor
> by default gives it enough exposure so we can actually learn about
> these issues in the first place.
I'm just surprised that it denies anything at all, without having the
policy packages installed (or vice versa, that it allows most things
when enabled in the kernel).
Apart from that:
Was there already a broad discussion in Debian about which LSM to go
for?
I personally had always the impression SELinux would be more
powerful... and I'm rather sceptical about things supported/pushed by
canonical because building on these always means trouble (Mir,
Upstart, Unity,...).
If something like Apparmar, SELinux, Smack, RSBAC, etc. is made default
in Debian, then it should be the right decision for the best one, as
changing away from it would be probably painful.
Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171102/28891d2c/attachment.bin>
More information about the pkg-apparmor-team
mailing list