[pkg-apparmor] Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP
Gabriel Filion
gabster at lelutin.ca
Mon Nov 13 01:35:00 UTC 2017
intrigeri:
> Let's sort this out first as there seems to be a misunderstanding.
> IMO this bug is not RC because:
>
> 1. The profile this bug report is about is not enforced by default;
> it's not even shipped in /etc/apparmor.d. It takes 2 manual steps
> to enforce it, so thankfully, we're far from shipping a broken
> default configuration :)
oh! you're totally right! I don't remember enabling the profile but I
was just blindly finding my way around to understand apparmor in the
recent days.
thanks for the super clear explanation for changing the status :)
> If you came across instructions that told you to enforce such profiles
> and that did not point you to the aforementioned warning, then I'm
> very sorry! I'll treat this as a RC bug. Please point me to that doc
> and I'll fix it ASAP. Thanks in advance!
fwiw I was following mainly the debian wiki pages about apparmor. I
remember reading the advisory, but for some reason I didn't keep the
information that "the profiles might not work with default
configurations" when reading. probably some level of confusion on my part.
>> and when I rebooted to activate the kernel part, I didn't notice the
>> issue below.. but a couple reboots afterwards I couldn't obtain
>> a DHCP address anymore for wired and wifi interfaces.
>
> Thanks for reporting this. I'm sorry this profile broke an essential
> part of your system. I'm not surprised though: to the best of my
> knowledge, nobody is actively using this profile on, and maintaining
> this profile for, Debian. Quite some paths in it don't match where
> things are shipped in Debian. This is why we don't enable this profile
> by default.
well I guess that my report confirms that the current profile in
apparmor-profiles-extra is somewhat broken. (it's still intriguing why
it was working for some time and then stopped working.. but I'd have to
repeat in order to figure out why. my time is probably better spent on
testing this other profile you mentioned)
> The good news is that there is a dhclient profile available elsewhere,
> that works way better on Debian: see #795467.
ok I can see that it looks like the proposed profile for isc-dhcp-client
is the one from ubuntu. still no reply from debian packagers about this
though, two years later.
what approach should we take here in order to get things going? do you
think that having more feedback from ppl who use the profile
successfully would help to get that merged in, or do you suspect it
might just be lack of available time or interest from package maintainers?
also, maybe if we can get more ppl to test ubuntu's profile in debian,
then they'd be willing to upstream it in apparmor?
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171113/b71ecb56/attachment.sig>
More information about the pkg-apparmor-team
mailing list