Request 452189 (accepted)

This request supersedes: request 449669 (Show diff)

Overview

Request 452189 accepted

[New attemp with /var/lib/apparmor/cache as cache location, as discussed
with DimStar on IRC. No other differences compared to SR 449669.]

- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/.
This is part of the root partition (at least with default partitioning)
and should be available earlier than /var/cache/apparmor/
(boo#1015249, boo#980081, bsc#1016259)
- add dependency on var-lib.mount to apparmor.service as safety net

- update to AppArmor 2.10.2 maintenance release
- lots of bugfixes and profile updates (including boo#1000201,
boo#1009964, boo#1014463)
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_2 for details
- add aa-unconfined-fix-netstat-call-2.10r3380.diff to fix a regression
in aa-unconfined
- drop upstream(ed) patches:
- changes-since-2.10.1--r3326..3346.diff
- changes-since-2.10.1--r3347..3353.diff
- libapparmor-fix-import-path.diff (upstream fix is slightly different)
- nscd-var-lib.diff
- refresh apparmor-abstractions-no-multiline.diff

Created by cboltz almost 8 years ago
In state accepted
Supersedes 449669

Submit apparmor

Comments for request 452189 0
Comments for request 449669 6

Jan Engelhardt (jengelh) - almost 8 years ago

reviewer

Static libraries should always land in /usr/lib, not /lib.

Christian Boltz (cboltz) - almost 8 years ago

author source maintainer

This request includes a maintenance release. Also, I plan to submit the 2.10.2 package to Leap 42.1 and 42.2. Moving files around in a maintenance update wouldn't be the best idea IMHO, and changing only the Tumbleweed package would mean I have to maintain two "branches" of the package.

I know that static libraries should be in /usr, and I'll fix this when updating to AppArmor 2.11 (which I'll submit as soon as this SR is accepted). 2.11 will bring quite some packaging changes, so I first want to have 2.10.2 in to reduce the amount of changes.

TL;DR: Please ignore the location of the static libraries a last time ;-)

Dominique Leuenberger (dimstar) - almost 8 years ago

reviewer

+- delete /etc/apparmor.d/cache symlink. apparmor_parser will re-create
+  it as real directory. This is needed to avoid problems on boot if
+  /var/ is mounted too late ([boo#1015249](https://bugzilla.opensuse.org/show_bug.cgi?id=1015249), [boo#980081](https://bugzilla.opensuse.org/show_bug.cgi?id=980081), [bsc#1016259](https://bugzilla.opensuse.org/show_bug.cgi?id=1016259))

??? What? apparmor_parser WRITES to /etc ? That's a terribly bad idea

Christian Boltz (cboltz) - almost 8 years ago

author source maintainer

I can understand why you hate this. I also don't really like it, but it's still better than not having the cache available at boot (which means longer boot times etc.).

Actually the reason why I introduced the symlink some years ago was exactly to avoid writing to /etc, but I didn't think about /var mount races back then.

I had a long discussion about this with the upstream developers a while ago, and the summary is that writing to /etc is not the best idea, but other solutions (like the symlink to var) cause even more trouble. BTW: In Ubuntu, apparmor_parser also writes its cache to /etc.

Dominique Leuenberger (dimstar) - almost 8 years ago

reviewer

@kukuk I recall CaaSP does some magic with read-only file systems. I wonder if this will impact you in anyway

Thorsten Kukuk (kukuk) - almost 8 years ago

Writing cache files in /etc is the worst thing to do. It does not impact CaaSP directly (except that on CaaSP, /var is available before /etc is writeable, so this change would have the opposite effect), but would be a nightmare for snapshots and rollback.

Between: if /var is mounted to late something with the dependencies is wrong and the root cause should be fixed. On SLE12 the reason is simple: apparmor is still using a LSB init script. If it would be a systemd unit, you could tell systemd to mount /var first. Or do that already in the initrd.