AppArmor two-stage policy load is undocumented

Applies to Ubuntu 12.04 with apparmor 2.7.102-0ubuntu2

Status changed to 'Confirmed' because the bug affects multiple users.

Currently AppArmor's profile load is not done via upstart for various reasons see https://lists.ubuntu.com/archives/upstart-devel/2011-December/001771.html for some details.

Instead if the daemon has been switched to upstart profile load can be made dependent there as is done with /etc/init/avahi-daemon.conf

Instead of forcing all profiles to be loaded early which could affect boot speed, Ubuntu has opted to provide a split profile load (which does not seem to be documented atm) that will load some profiles early and the full profile set later in the boot sequence. To force a profile to be loaded early a symlink is dropped in
  /etc/apparmor/init/

see
  /etc/apparmor/init/network-interface-security/sbin.dhclient

as an example. As long as the profile cache is built adding all profiles should not significantly impact boot performance

Ok. I understand that. But I think this needs to be documented prominently either in the wiki or the apparmor package. Without any documentation the admin generating his own profiles does not know how to handle the situation.

Agreed, documentation is being written. Both a patch for the apparmor (7) man page and for the wiki

Attached is a patch to adjust the apparmor(5) man page to (finally) document this.

This has been committed to ~ubuntu-core-dev/apparmor/master/

Opps, of course I meant apaprmor(7), not apparmor(5).

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3

---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low

  [ Jamie Strandboge ]
  * debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5)
    to describe Ubuntu's two-stage policy load and how to add utilize it
    when developing policy (LP: #974089)

  [ Serge Hallyn ]
  * debian/apparmor.init: do nothing in a container. This can be
    removed once stacked profiles are supported and used by lxc.
    (LP: #978297)

  [ Steve Beattie ]
  * debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping
    for change_profile onexec (LP: #963756)
  * debian/patches/0009-apparmor-lp959560-part1.patch,
    debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser
    to support the 'in' keyword for value lists, and make mount
    operations aware of 'in' keyword so they can affect the flags build
    list (LP: #959560)
  * debian/patches/0011-apparmor-lp872446.patch: fix logprof missing
    exec events in complain mode (LP: #872446)
  * debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in
    dovecot imap-login profile (LP: #978584)
  * debian/patches/0013-apparmor-lp800826.patch: fix libapparmor
    log parsing library from dropping apparmor network events that
    contain ip addresses or ports in them (LP: #800826)
  * debian/patches/0014-apparmor-lp979095.patch: document new mount rule
    syntax and usage in apparmor.d(5) manpage (LP: #979095)
  * debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec
    for profiles without attachment specification (LP: #963756,
    LP: #978038)
  * debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when
    loading policy to kernels without compat patches (LP: #968956)
  * debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to
    grant access to /proc/attr api (LP: #979135)
 -- Steve Beattie <email address hidden> Thu, 12 Apr 2012 06:17:42 -0500