[pkg-apparmor] Bug#879590: apparmor breaks all kinds of stuff
intrigeri
intrigeri at debian.org
Sun Nov 5 11:02:43 UTC 2017
Hi,
Meta: this bug report is about deciding how we enable AppArmor by
default; if you want to follow-up on unrelated discussions or start
new ones, please do so in better suited places :)
Christoph Anton Mitterer:
> On Wed, 2017-11-01 at 07:40 +0100, intrigeri wrote:
>> Indeed, it would have been nice. Can you please report a bug against
>> src:linux about it?
> I already had:
> #880441
Thanks, I'll follow up there then (we don't need to have the same
discussion in two different places).
> Nov 1 00:30:23 heisenberg systemd[18635]: tor at default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory
> Nov 1 00:30:23 heisenberg kernel: [ 6315.674076] audit: type=1400
> audit(1509492623.442:7): apparmor="DENIED" operation="change_onexec" info="label not
> found" error=-2 profile="unconfined" name="system_tor" pid=18635 comm="(tor)"
That's #880490, fixed in sid already.
> I'm just surprised that it denies anything at all, without having the
> policy packages installed (or vice versa, that it allows most things
> when enabled in the kernel).
It does *not* deny anything at all without having the apparmor package
installed: #880490 is not about AppArmor denying something, it's about
systemd trying to switch to an AppArmor profile that's not loaded,
precisely because the apparmor package is not installed.
> Apart from that:
> Was there already a broad discussion in Debian about which LSM to go
> for?
There's been an ongoing discussion on debian-devel@ since ~3 months.
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list