[Apparmor-dev] apparmor broken on 2.6.24-rc8

Luiz Fernando N. Capitulino lcapitulino at mandriva.com.br
Thu Jan 24 06:06:20 MST 2008 

Em Wed, 23 Jan 2008 12:14:10 -0800
John Johansen <jjohansen at suse.de> escreveu:

| On Wed, Jan 23, 2008 at 01:28:16PM -0200, Luiz Fernando N. Capitulino wrote:
| > 
| >  Hi there,
| > 
| >  I'm one of the Mandriva kernel developers and we're having some issues
| > with apparmor for 2.6.24-rc8 (kernel 2.6.24 will be used in our next
| > main release).
| > 
| Out of curiosity what is the time frame for this release.

 Early April.

| AppArmor
| is getting a bump to a 2.1.1 release today/tomorrow along with
| a new unionfs patch against the newer 2.2 unionfs.  The patch is
| done in the fashion the 1.4 unionfs patch and is simplier and
| makes policy for live cd's more feasible as the subpath under the
| union aren't required when accessed through the union path.

 Good news.

| >  The patches we're having problems were taken from SuSe's factory
| > kernel from January, 18.
| > 
| Ugh sorry those are broken and I haven't checked the fixes in there
| yet.

 Oh, I see.

| >  The first problem is that apparmor doesn't initialize. You pass the
| > 'apparmor=1' command-line but it says in dmesg that apparmor wasn't
| > able to initialize. I've backported a fix from the latest patchset
| > submitted to Andrew Morton (attached), which seems to work.
| > 
| >  But then the second problem happens:
| > 
| > # service apparmor start
| > 
| > """
| > Loading AppArmor profiles /sbin/apparmor_parser: Unable to add "/bin/netstat".  Profile doesn't conform to protocol
| >  Profile /etc/apparmor.d/bin.netstat failed to load
| > /sbin/apparmor_parser: Unable to add "/bin/ping".  Profile doesn't conform to protocol
| >  Profile /etc/apparmor.d/bin.ping failed to load
| > /sbin/apparmor_parser: Unable to add "/sbin/klogd".  Profile doesn't conform to protocol
| >  Profile /etc/apparmor.d/sbin.klogd failed to load
| > /sbin/apparmor_parser: Unable to add "/sbin/syslogd".  Profile doesn't conform to protocol
| > [...]
| > """
| > 
| >  I've applied the latest patchset version (apparmor-kernel-patch-2.6.24-rc4-mm.tgz)
| > on top of kernel 2.6.24-rc4-mm1 and it just works.
| > 
| >  Does this mean SuSe's version is broken? What about porting
| > that (working) -mm version to 2.6.24 vanilla?
| > 
| Sorry, yep they are broken.  The AppArmor 2.1.1 release (today or tomorrow)
| will have the patches for 2.6.24.
| 
| And alternately an AppArmor 2.3 release is approaching in mid feb

 Nice, thanks a lot.

-- 
Luiz Fernando N. Capitulino

More information about the Apparmor-dev mailing list