Bugzilla – Bug 668311
AppArmor profile generation can't handle *x (execute permissions) - please release a patch
Last modified: 2011-05-25 16:14:15 UTC
AppArmor logprof and genprof on openSUSE 11.3 (and IIRC on 11.2 also) can't handle *x (execute) permissions because of a changed audit.log format. Instead, they create a totally useless profile with ^null_xy hats. See bug 546618 for all the technical details, especially comment #2 there. The AppArmor utils in AppArmor 2.5.1 (now in Factory) fix this. I recommend to release a patch that updates AppArmor to 2.5.1 on openSUSE 11.3. I tested the 2.5.1 utils on 11.3 (see bug 546618#c12) and it looks like they are fully backward-compatible to AppArmor 2.3.
Even though I expect 2.5.1 to be compatible, we can't just update the version mid-release. I've backported the patch that handles this and it's fixed properly now. SR 66428 for 11.3 SR 66453 for 11.2 NEEDINFO maintenance@opensuse.org
for what it is worth, opensuse is not that strict with version updates anymore. everything should just continue to work after the update. ,) ok for update +1
+1 okay
The SWAMPID for this issue is 40061. This issue was rated as low. Please submit fixed packages until 2011-05-06. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/40061
Updates have been checked in for both 11.2 and 11.3. Closing as FIXED. Thanks for prodding on this one.
This is an autogenerated message for OBS integration: This bug (668311) was mentioned in https://build.opensuse.org/request/show/66428 https://build.opensuse.org/request/show/66453
On qa maintenace testing of apparmor could not see fix and bug number not mentioned mentioned in changelog. rpm -q apparmor-parser apparmor-profiles apparmor-utils libapparmor-devel libapparmor1 libapparmor1-32bit libapparmor1-x86 perl-libapparmor -l --changelog | head -n 17 * Mon Jan 10 2011 jeffm@suse.de - Fix two x transition conflict bugs (bnc#662928). * Fri Apr 30 2010 jeffm@suse.de - Newer kernels don't require separate removal of hats (bnc#588248) - Fixed compilation of debug mode * Thu Mar 25 2010 jeffm@suse.de - Update to final translation files * Mon Mar 15 2010 jeffm@suse.de - Fix handling of removing profiles with whitespace (bnc#510740) - Provide meaningful line numbers in error reports (bnc#520013) - Support dry-run mode - Fix recognition of non-inet net domains (bnc#588185) * Wed Mar 04 2009 jeffm@suse.de after update to testing package: rpm -q apparmor-parser apparmor-profiles apparmor-utils libapparmor-devel libapparmor1 libapparmor1-32bit libapparmor1-x86 perl-libapparmor apparmor-parser-2.3.1-8.18.1 apparmor-profiles-2.3-48.5.1 apparmor-utils-2.3.1-9.8.2 libapparmor-devel-2.3-51.16.1 libapparmor1-2.3-51.16.1 package libapparmor1-32bit is not installed package libapparmor1-x86 is not installed perl-libapparmor-2.3-51.16.1 Is this ok?
Testing SLE-11-SP1 maintenace update
Update released for: apparmor-utils Products: openSUSE 11.2 (i586)
That fix was delayed waiting on a fix for a misapplied patch in bnc#691398. I've just submitted that fix and there should now be nothing holding up the apparmor update.
i resubmitted the patchinfo. ;)
Update released for: apparmor-utils Products: openSUSE 11.3 (i586)
released
Update released for: apparmor-parser, apparmor-parser-debuginfo, apparmor-parser-debugsource, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, libapparmor1-32bit, libapparmor1-debuginfo, libapparmor1-debuginfo-32bit, libapparmor1-debuginfo-x86, libapparmor1-debugsource, libapparmor1-x86, perl-libapparmor Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)