http://bugzilla.opensuse.org/show_bug.cgi?id=1205659 Bug ID: 1205659 Summary: Precompiled profile cache causes hard to debug problems on Tumbleweed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The AppArmor profile cache is generated and validated (check if it needs to be updated) purely based on the file timestamps on the involved files. If the cache file is newer than all involved files in /etc/apparmor.d, the cache file will be used (and not updated). This causes problems in Tumbleweed if - the user has modified an included file (for example local/*) long ago so that it's older than the precompiled cache in apparmor-profiles - a new kernel with a new cache hash gets released (so the probably valid /var/cache/apparmor/$oldhash/$cachefile will no longer be used) In these cases, the precompiled cache will be loaded, and the modified local/* file gets ignored. Obviously this also means that the additional permissions granted in the local/* file will _not_ be allowed. See the discussion around https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/... for the long version. The long-term solution is to include a checksum of the text profiles in the cache file, which is on the TODO list upstream. Until then, I'll stop shipping the precompiled cache in Tumbleweed. This might result in a few seconds additional boot time after updates of the apparmor-profiles package or major kernel updates (with a new AppArmor features hash), but that's better than loading outdated profile caches into the kernel. The risk for hitting this problem on Leap is much smaller, because Leap updates don't include new major kernel versions. -- You are receiving this mail because: You are on the CC list for the bug.