Hello, Am Sonntag, 29. April 2018, 19:36:08 CEST schrieb Frank Krüger:
Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages
File "/usr/sbin/aa-logprof", line 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line):
Is this a known issue?
No, that sounds new to me. (Also, aa-logprof shouldn't run for several minutes, maybe except if you have a really big logfile > 100 MB, and for sure it shouldn't spend minutes in load_include.) That said - I was able to reproduce the problem, and wonder why it didn't hit me before. The biggest change in 2.13 [1] is support for shipping precompiled cache and having multiple cache directories. This also comes with a new cache directory layout, including a new symlink /etc/apparmor.d/cache.d pointing to the real cache directory. Exactly that symlink causes the problem you see, because aa-logprof tries to parse all (binary) files in /etc/apparmor.d/cache.d/ :-( @Patrick: If you are unable to reproduce this bug, your profiles probably match exactly the upstream profiles, so /etc/apparmor.d/cache.d/ (symlink to /var/cache/apparmor/) is empty and only the precompiled cache in /usr/share/apparmor/cache/ gets used. An additional condition is that you don't have profiles installed by other packages (which don't include precompiled cache yet). That said - I can offer a selection of hotfixes. Pick one ;-) a) apply the following patch to /usr/lib/python3.6/site-packages/apparmor/aa.py --- /usr/lib/python3.6/site-packages/apparmor/aa.py_ORIG +++ /usr/lib/python3.6/site-packages/apparmor/aa.py @@ -2048,7 +2048,7 @@ def is_skippable_file(path): return False def is_skippable_dir(path): - if re.search('^(.*/)?(disable|cache|force-complain|lxc|\.git)/?$', path): + if re.search('^(.*/)?(disable|cache|cache\.d|force-complain|lxc|\.git)/?$', path): return True return False to exclude the "cache.d" symlink/directory from parsing. - or - b) grab the latest python3-apparmor package from security:apparmor (building right now) which includes the patch from a) - or - c) wait until SR 602408 (with the packages from b) reaches Tumbleweed ;-) Regards, Christian Boltz [1] looks like naming it 2.13 did what that number promised... -- [20:01] * mrdocs grabs a snack first [20:01] <suseROCKs> hmm last time mrdocs said he was going to grab a snack, we didn't see him again for a week [from #opensuse-project] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org