Hello, Am Dienstag, 9. Juni 2020, 15:17:00 CEST schrieb Carlos E. R.:
On 09/06/2020 14.44, Christian Boltz wrote:
Am Dienstag, 9. Juni 2020, 14:27:19 CEST schrieb Carlos E. R.:
Question on apparmor:
/etc/apparmor.d/usr.sbin.dnsmasq:
#include <local/usr.sbin.dnsmasq> }
Should I remove the '#' before the include?
"#include" and "include" have the same meaning in AppArmor profiles, they both include another file.
The only difference is that "#include" might be mis-interpreted as comment in case of syntax errors (instead of causing an error), but the line you quoted looks correct, and matches the upstream dnsmasq profile.
I'll try anyway... BINGO! It was AA. I removed the comment symbol, and now I have connectivity.
That's more than strange, and I'm sure that the # is/was not the cause (please re-add it and try again ;-) Wild guess: Maybe the real change was the timestamp of the profile - now it's newer than your previous cache file, and therefore the cache got rebuilt. (If you have a backup of the "broken" /etc/apparmor.d/ and /var/cache/apparmor/ with original timestamps, I'd be happy to debug this - but better off-list, it would be OT here.) As a somewhat unrelated sidenote: future AppArmor versions will default to "include" (without the "#") - but that's just a cosmetic change, there are no known bugs around the "#include" variant. Oh, and the local/* files will be included as "include if exists".
It occurs to me whether I might have forgotten to restart aa, bu the log says I did.
Before: <3.6> 2020-06-09T14:13:36.362507+02:00 Telcontar apparmor.systemd 23247 - - Restarting AppArmor
and now, after the edit: <3.6> 2020-06-09T15:06:24.508661+02:00 Telcontar apparmor.systemd 26101 - - Restarting AppArmor
If you want to further debug this, ping me off-list or (maybe better) on IRC. The audit.log entries about reloading the profiles might be helpful.
Ok. Time to have lunch. Later I will update the wiki :-)
Unless you can reproduce the permission problem after re-adding the "#", please remove that note from the wiki again. I would be *very* surprised if that really caused your problem. Regards, Christian Boltz -- There are a lot of times, however, where we do things that feel like fitting square pegs into round autotools holes [Steve Beattie in apparmor] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org