[pkg-apparmor] Bug#904040: openntpd: Apparmor denies logging
intrigeri
intrigeri at debian.org
Sun Jul 22 13:43:02 BST 2018
Hi Dererk,
I'm fully quoting below Seth Arnold's reply (that was send to
pkg-apparmor-team@ only) and will reply below.
Seth Arnold:
> On Wed, Jul 18, 2018 at 08:05:29PM -0300, Dererk wrote:
>> I was reported about a bug on the way an apparmor profile behaves.
>> It appears to me that this issue might be tightly related to the way
>> apparmor is compiled on Ubuntu, since all my attempts to find similar
>> reports get isolated to Ubuntu's reports and bug fixes.
>>
>> Would you be kind in advice on how to proceed with this? Is this possible to
>> be hit on Debian installations? If its not, Is it safe to apply it on Debian
>> without backfiring?
> Hello Dererk,
> This is not unique to systemd, nor Ubuntu; any time a process may use a
> file descriptor that refers to a file that does not exist in the process's
> mount namespace, whether via explicit namespace use, or chroot, or being
> passed descriptors across an exec or Unix domain socket.
> Systemd just makes these cases really easy to recreate.
> The flags=(attach_disconnected) fix is safe to apply; we don't use it
> as a default setting because we'd really like to have a better solution
> in the long run. But if you're currently not logging due to this issue, or
> the program fails to run at all because it cannot log, then waiting for a
> better solution is far from ideal.
Fully agreed: at least for now, if flags=(attach_disconnected) fixes
user-visible issues, it'll be good enough ⇒ feel free to add it :)
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list