Hello, Am Mittwoch, 3. Januar 2018, 14:30:46 CET schrieb Thorsten Kukuk:
Am Mittwoch, 3. Januar 2018 schrieb Dominique Leuenberger:
==== apparmor ==== Version update (2.11.1 -> 2.12)
I should probably highlight this change: There are more important changes: errors during loading of profiles are no longer ignored, which makes this bugs now really problematic and apparmor unuseable/non-functional with a read-only root filesystem: bsc#1074429 - AppArmor cannot be started in Kubic bsc#1069906 - Race: systemd remounts filesystems while apparmor loads
On Wed, Jan 03, Christian Boltz wrote: profiles
I just installed the latest Kubic in a VM [1] and can confirm the problem - only the "docker-default" profile gets loaded, but not the other profiles in /etc/apparmor.d/. That leads to the question if the "docker-default" gets loaded or reloaded in a different way - any ideas? The most surprising thing is that it "errors out more" than in 2.11.x. Most 2.12 changes were in the python tools. A review of the 2.12 changes together with the upstream developers didn't bring up many changes in apparmor_parser or libapparmor that could cause this change, and the few commits that are somewhat related to this look harmless. I'll probably build 2.11.1 packages tomorrow to cross-check if this was really introduced in 2.12, even if looking at the upstream commits indicates it's unlikely. For now, I can offer two workarounds: - rcapparmor reload while /var/lib/apparmor is writeable to build or update the cache (which also means no more write attemps on boot until you install a new kernel) - or - - disable the "write-cache" option in /etc/apparmor/parser.conf - but let me warn you that this slows down profile loading 5 to 10 times, so this is nothing I want to do for the "normal" distribution. (If there is a build condition to match only Kubic, I'm willing to accept that in the AppArmor package as a hotfix. Technically we just have to disable a patch ;-) The long-term fix is to make cache write failures a warning instead of an error, but to make things more interesting, there are also situations where this needs to be an error. This is solvable by adding a new config option (think of -Werror), but needs a bit more work. Another option might be to pre-compile the profiles during installation. I know this is possible (AFAIK it was done for Ubuntu Phone), but I'll have to check the details with upstream. One funny detail is that we hit this issue too early ;-) - there are plans to support multiple caches for different kernel versions, but unfortunately, well, _plans_ ;-) Regards, Christian Boltz [1] my infrastructure test VMs don't feel alone anymore now ;-) -- Code like this is the reason for alcoholism running rampant with Java developers [Kristian Köhntopp on https://plus.google.com/+KristianKöhntopp/posts/K5DDeDMYr1e ] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org