[Apparmor-dev] apparmor broken on 2.6.24-rc8

John Johansen jjohansen at suse.de
Wed Jan 23 13:14:10 MST 2008 

On Wed, Jan 23, 2008 at 01:28:16PM -0200, Luiz Fernando N. Capitulino wrote:
> 
>  Hi there,
> 
>  I'm one of the Mandriva kernel developers and we're having some issues
> with apparmor for 2.6.24-rc8 (kernel 2.6.24 will be used in our next
> main release).
> 
Out of curiosity what is the time frame for this release.  AppArmor
is getting a bump to a 2.1.1 release today/tomorrow along with
a new unionfs patch against the newer 2.2 unionfs.  The patch is
done in the fashion the 1.4 unionfs patch and is simplier and
makes policy for live cd's more feasible as the subpath under the
union aren't required when accessed through the union path.

>  The patches we're having problems were taken from SuSe's factory
> kernel from January, 18.
> 
Ugh sorry those are broken and I haven't checked the fixes in there
yet.

>  The first problem is that apparmor doesn't initialize. You pass the
> 'apparmor=1' command-line but it says in dmesg that apparmor wasn't
> able to initialize. I've backported a fix from the latest patchset
> submitted to Andrew Morton (attached), which seems to work.
> 
>  But then the second problem happens:
> 
> # service apparmor start
> 
> """
> Loading AppArmor profiles /sbin/apparmor_parser: Unable to add "/bin/netstat".  Profile doesn't conform to protocol
>  Profile /etc/apparmor.d/bin.netstat failed to load
> /sbin/apparmor_parser: Unable to add "/bin/ping".  Profile doesn't conform to protocol
>  Profile /etc/apparmor.d/bin.ping failed to load
> /sbin/apparmor_parser: Unable to add "/sbin/klogd".  Profile doesn't conform to protocol
>  Profile /etc/apparmor.d/sbin.klogd failed to load
> /sbin/apparmor_parser: Unable to add "/sbin/syslogd".  Profile doesn't conform to protocol
> [...]
> """
> 
>  I've applied the latest patchset version (apparmor-kernel-patch-2.6.24-rc4-mm.tgz)
> on top of kernel 2.6.24-rc4-mm1 and it just works.
> 
>  Does this mean SuSe's version is broken? What about porting
> that (working) -mm version to 2.6.24 vanilla?
> 
Sorry, yep they are broken.  The AppArmor 2.1.1 release (today or tomorrow)
will have the patches for 2.6.24.

And alternately an AppArmor 2.3 release is approaching in mid feb

regards
john
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20080123/285aefa2/attachment.pgp

More information about the Apparmor-dev mailing list