Ubuntu
apparmor package

apparmor capabilities not working properly

Bug #408773 reported by Jamie Strandboge
138
This bug affects 21 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Binary package hint: apparmor

Though I have the following in a profile:
  capability net_admin,
  capability sys_ptrace,

I am getting denials:
type=APPARMOR_DENIED msg=audit(1249377320.882:46): operation="capable" pid=6334 parent=1 profile="/usr/sbin/libvirtd" name="sys_ptrace"
type=APPARMOR_DENIED msg=audit(1249377321.526:47): operation="capable" pid=6334 parent=1 profile="/usr/sbin/libvirtd" name="sys_admin"

This worked at one point in Karmic, but I'm not sure what change caused the regression.

ProblemType: Bug
ApparmorStatusOutput:
 Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set.
 apparmor module is loaded.
Architecture: i386
Date: Tue Aug 4 10:45:49 2009
DistroRelease: Ubuntu 9.10
NonfreeKernelModules: wl
Package: apparmor 2.3.1+1403-0ubuntu8
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-5.24-generic
SourcePackage: apparmor
Uname: Linux 2.6.31-5-generic i686

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in apparmor (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → High
status: New → Confirmed
assignee: John Johansen (jjohansen) → nobody
tags: added: regression-potential
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu9

---------------
apparmor (2.3.1+1403-0ubuntu9) karmic; urgency=low

  * Revert 64-bit capabilities (LP: #408773).

 -- Kees Cook <email address hidden> Tue, 04 Aug 2009 11:51:27 +0100

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

To work-around this issue, temporarily disable apparmor with:

  sudo /etc/init.d/apparmor stop

After this, network-manager and dhclient will be able to be control the network again. After installing apparmor version 2.3.1+1403-0ubuntu9 the apparmor profiles will operate correctly again.

Revision history for this message
John Vivirito (gnomefreak) wrote :

Kees,
If this fix fixes the networking why the work around by stopping the process?

Revision history for this message
Jithin Emmanuel (jithin1987) wrote : Re: [Bug 408773] Re: apparmor capabilities not working properly

I assume that workaround was for use until the package is available.

On Wed, Aug 5, 2009 at 4:17 PM, John Vivirito <email address hidden> wrote:

> Kees,
> If this fix fixes the networking why the work around by stopping the
> process?
>
> --
> apparmor capabilities not working properly
> https://bugs.launchpad.net/bugs/408773
> You received this bug notification because you are a direct subscriber
> of a duplicate bug.
>

--
Thanks
Jithin Emmanuel

Mike Ditka <http://www.brainyquote.com/quotes/authors/m/mike_ditka.html> -
"If God had wanted man to play soccer, he wouldn't have given us arms."

Revision history for this message
Steve Beattie (sbeattie) wrote :

On Wed, Aug 05, 2009 at 10:47:21AM -0000, John Vivirito wrote:
> If this fix fixes the networking why the work around by stopping the process?

The current version prevents networking from working (in common
setups). If you need networking to work in order to get the fixed package,
then you'll need to use the workaround.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Revision history for this message
John Vivirito (gnomefreak) wrote :

On 08/05/2009 08:03 AM, Steve Beattie wrote:
> On Wed, Aug 05, 2009 at 10:47:21AM -0000, John Vivirito wrote:
>> If this fix fixes the networking why the work around by stopping the process?
>
> The current version prevents networking from working (in common
> setups). If you need networking to work in order to get the fixed package,
> then you'll need to use the workaround.
>
 nope after update+restart it works here, thanks

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Revision history for this message
fimbulvetr (fimbulvetr) wrote :

I can confirm that after the update everything is working well again.

Revision history for this message
Carey Underwood (cwillu) wrote :

Still broken for virtual machine devices (or any dhcp server running on the host?): qemu guest can't obtain ip address on the bridge device until I disable apparmor.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Carey, can you file a new bug by using 'ubuntu-bug apparmor' and give instructions on how to reproduce the issue? Thanks!

Revision history for this message
Carey Underwood (cwillu) wrote :

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/410547

On Fri, Aug 7, 2009 at 2:56 PM, Jamie Strandboge<email address hidden> wrote:
> Carey, can you file a new bug by using 'ubuntu-bug apparmor' and give
> instructions on how to reproduce the issue? Thanks!
>
> --
> apparmor capabilities not working properly
> https://bugs.launchpad.net/bugs/408773
> You received this bug notification because you are a direct subscriber
> of the bug.
>

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.