http://bugzilla.novell.com/show_bug.cgi?id=1006387 Bug ID: 1006387 Summary: monitoring-plugins-zypper%post removes AppArmor protection from running processes Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: All Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: nix@opensuse.org Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de CC: security-team@suse.de Found By: Beta-Customer Blocker: --- monitoring-plugins-zypper.spec contains %post %{_sysconfdir}/init.d/boot.apparmor try-restart || echo ... try-restart translates to "stop, then start", and this results in temporarily unloading all AppArmor profiles and removing AppArmor confinement from all running processes. They cannot be re-confined when loading the profiles again! - only restarting those processes helps. See bug 853019 for a detailed explanation. Please replace the try-restart with "reload" (feel free to steal the needed code from apparmor.spec if you want to do a status check first) We also have a new package apparmor-rpm-macros (since 42.2) to make it easier: Just BuildRequire it and use %apparmor_reload /etc/apparmor.d/usr.lib.nagios.plugins.check_zypper This bug exists in Leap and Tumbleweed. I'm reporting it for Leap because I hope you can fix it before the release ;-) I didn't check the other monitoring-plugins-* packages. If they have a similar %post script, it should also be fixed. @security team: do you have a way to grep all *.spec files in Leap and Tumbleweed for "apparmor.*restart" and "restart.*apparmor"? If yes, please do that - those packages might share this bug. -- You are receiving this mail because: You are on the CC list for the bug.