touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #102115
[Bug 1495170] [NEW] man apparmor still assumes upstart as init
Public bug reported:
To reproduce in a terminal or shell run man apparmor. In the section
Ubunut policy load assumes upstart as in 14.10 and earlier.
To copy the section from the man page it is
UBUNTU POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
policy in two ways:
1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy
The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
load should be handled specially.
The upstart job may be call with or without arguments, like so:
$ sudo start apparmor
$ sudo start apparmor ACTION=clear # clear policy cache
$ sudo start apparmor ACTION=teardown # unload all policy
$ sudo start apparmor ACTION=reload # reload policy
$ sudo start apparmor ACTION=force-reload # same as 'reload'
Because the job is an upstart(8) task, use 'start apparmor
ACTION=teardown' to unload all policy.
In general, nothing extra has to be done for applications not
started during boot or those that start after AppArmor's upstart job.
If the confined application has an Upstart job, adjust the job tUBUNTU POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
policy in two ways:
1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy
The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
load should be handled specially.
The upstart job may be call with or without arguments, like so:
$ sudo start apparmor
$ sudo start apparmor ACTION=clear # clear policy cache
$ sudo start apparmor ACTION=teardown # unload all policy
$ sudo start apparmor ACTION=reload # reload policy
$ sudo start apparmor ACTION=force-reload # same as 'reload'
Because the job is an upstart(8) task, use 'start apparmor
ACTION=teardown' to unload all policy.
In general, nothing extra has to be done for applications not
started during boot or those that start after AppArmor's upstart job.
If the confined application has an Upstart job, adjust the job to
call /lib/init/apparmor-profile-load with the filename of the policy
file (relative to /etc/apparmor.d/). For example:
pre-start script
/lib/init/apparmor-profile-load usr.bin.foo
end script
If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:
$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .
The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.
In addition, AppArmor on Ubuntu stores policy in two places:
1. /etc/apparmor.d for system policy
2. /var/lib/apparmor/profiles for click policy
UBUNTU POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
policy in two ways:
1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy
The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
load should be handled specially.
The upstart job may be call with or without arguments, like so:
$ sudo start apparmor
$ sudo start apparmor ACTION=clear # clear policy cache
$ sudo start apparmor ACTION=teardown # unload all policy
$ sudo start apparmor ACTION=reload # reload policy
$ sudo start apparmor ACTION=force-reload # same as 'reload'
Because the job is an upstart(8) task, use 'start apparmor
ACTION=teardown' to unload all policy.
In general, nothing extra has to be done for applications not
started during boot or those that start after AppArmor's upstart job.
If the confined application has an Upstart job, adjust the job to
call /lib/init/apparmor-profile-load with the filename of the policy
file (relative to /etc/apparmor.d/). For example:
pre-start script
/lib/init/apparmor-profile-load usr.bin.foo
end script
If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:
$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .
The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.
In addition, AppArmor on Ubuntu stores policy in two places:
1. /etc/apparmor.d for system policy
2. /var/lib/apparmor/profiles for click policy
See apparmor_parser(8) and aa-clickhook(1) for details.
Suggests: apparmor-profiles, apparmor-profiles-extra, apparmor-docs, apparmor-utils
See apparmor_parser(8) and aa-clickhook(1) for details.
o call /lib/init/apparmor-profile-load with the filename of the policy file (relative to /etc/apparmor.d/). For example:
pre-start script
/lib/init/apparmor-profile-load usr.bin.foo
end script
If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:
$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .
The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.
In addition, AppArmor on Ubuntu stores policy in two places:
1. /etc/apparmor.d for system policy
2. /var/lib/apparmor/profiles for click policyI expected to read how ubuntu policy load works and not how it worked in an old version. Instead I got how it works in 14.10 and earlier and could not read how apparmor policy is loaded. I think this should be updated.
See apparmor_parser(8) and aa-clickhook(1) for details.
apparmor:
Installed: 2.10-0ubuntu6
Candidate: 2.10-0ubuntu6
Version table:
*** 2.10-0ubuntu6 0
500 http://us.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
100 /var/lib/dpkg/status
Description: Ubuntu Wily Werewolf (development branch)
Release: 15.10
I expected to read how ubuntu policy load works and not how it worked in
an old version. Instead I got how it works in 14.10 and earlier and
could not read how apparmor policy is loaded. I think this should be
updated.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: apparmor 2.10-0ubuntu6
ProcVersionSignature: Ubuntu 4.2.0-7.7-generic 4.2.0
Uname: Linux 4.2.0-7-generic x86_64
ApportVersion: 2.18.1-0ubuntu1
Architecture: amd64
CurrentDesktop: LXDE
Date: Sat Sep 12 20:44:10 2015
InstallationDate: Installed on 2014-09-30 (347 days ago)
InstallationMedia: Lubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140930)
JournalErrors:
No journal files were found.
-- No entries --
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.2.0-7-generic root=/dev/sdb1 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw
SourcePackage: apparmor
UpgradeStatus: Upgraded to wily on 2015-08-07 (36 days ago)
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1495170
Title:
man apparmor still assumes upstart as init
Status in apparmor package in Ubuntu:
New
Bug description:
To reproduce in a terminal or shell run man apparmor. In the section
Ubunut policy load assumes upstart as in 14.10 and earlier.
To copy the section from the man page it is
UBUNTU POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
policy in two ways:
1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy
The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
load should be handled specially.
The upstart job may be call with or without arguments, like so:
$ sudo start apparmor
$ sudo start apparmor ACTION=clear # clear policy cache
$ sudo start apparmor ACTION=teardown # unload all policy
$ sudo start apparmor ACTION=reload # reload policy
$ sudo start apparmor ACTION=force-reload # same as 'reload'
Because the job is an upstart(8) task, use 'start apparmor
ACTION=teardown' to unload all policy.
In general, nothing extra has to be done for applications not
started during boot or those that start after AppArmor's upstart job.
If the confined application has an Upstart job, adjust the job tUBUNTU POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
policy in two ways:
1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy
The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
load should be handled specially.
The upstart job may be call with or without arguments, like so:
$ sudo start apparmor
$ sudo start apparmor ACTION=clear # clear policy cache
$ sudo start apparmor ACTION=teardown # unload all policy
$ sudo start apparmor ACTION=reload # reload policy
$ sudo start apparmor ACTION=force-reload # same as 'reload'
Because the job is an upstart(8) task, use 'start apparmor
ACTION=teardown' to unload all policy.
In general, nothing extra has to be done for applications not
started during boot or those that start after AppArmor's upstart job.
If the confined application has an Upstart job, adjust the job
to call /lib/init/apparmor-profile-load with the filename of the
policy file (relative to /etc/apparmor.d/). For example:
pre-start script
/lib/init/apparmor-profile-load usr.bin.foo
end script
If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:
$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .
The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.
In addition, AppArmor on Ubuntu stores policy in two places:
1. /etc/apparmor.d for system policy
2. /var/lib/apparmor/profiles for click policy
UBUNTU POLICY LOAD
Ubuntu systems use upstart(8) instead of a traditional SysV init system. Because upstart is an event-driven init system and understanding that policy must be loaded before execution, Ubuntu loads
policy in two ways:
1. via upstart jobs for services started during the boot process
2. via the AppArmor upstart job for any remaining policy
The AppArmor upstart job is configured to make sure all policy is loaded before any user sessions start. When developing policy it is important to know how your application is started and if policy
load should be handled specially.
The upstart job may be call with or without arguments, like so:
$ sudo start apparmor
$ sudo start apparmor ACTION=clear # clear policy cache
$ sudo start apparmor ACTION=teardown # unload all policy
$ sudo start apparmor ACTION=reload # reload policy
$ sudo start apparmor ACTION=force-reload # same as 'reload'
Because the job is an upstart(8) task, use 'start apparmor
ACTION=teardown' to unload all policy.
In general, nothing extra has to be done for applications not
started during boot or those that start after AppArmor's upstart job.
If the confined application has an Upstart job, adjust the job
to call /lib/init/apparmor-profile-load with the filename of the
policy file (relative to /etc/apparmor.d/). For example:
pre-start script
/lib/init/apparmor-profile-load usr.bin.foo
end script
If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:
$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .
The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.
In addition, AppArmor on Ubuntu stores policy in two places:
1. /etc/apparmor.d for system policy
2. /var/lib/apparmor/profiles for click policy
See apparmor_parser(8) and aa-clickhook(1) for details.
Suggests: apparmor-profiles, apparmor-profiles-extra, apparmor-docs, apparmor-utils
See apparmor_parser(8) and aa-clickhook(1) for details.
o call /lib/init/apparmor-profile-load with the filename of the policy file (relative to /etc/apparmor.d/). For example:
pre-start script
/lib/init/apparmor-profile-load usr.bin.foo
end script
If the confined application does not have an Upstart job but it starts before AppArmor's second stage initscript, then add a symlink from the policy file in /etc/apparmor.d to
/etc/apparmor/init/network-interface-security/. For example:
$ cd /etc/apparmor/init/network-interface-security/
$ sudo ln -s /etc/apparmor.d/usr.bin.foo .
The network-interface-security Upstart job will load all the symlinked policy files in /etc/apparmor/init/network-interface-security/ before any network interfaces come up. Because network interfaces
come up very early in the boot process, this will help ensure that AppArmor policy is loaded before the confined application starts.
In addition, AppArmor on Ubuntu stores policy in two places:
1. /etc/apparmor.d for system policy
2. /var/lib/apparmor/profiles for click policyI expected to read how ubuntu policy load works and not how it worked in an old version. Instead I got how it works in 14.10 and earlier and could not read how apparmor policy is loaded. I think this should be updated.
See apparmor_parser(8) and aa-clickhook(1) for details.
apparmor:
Installed: 2.10-0ubuntu6
Candidate: 2.10-0ubuntu6
Version table:
*** 2.10-0ubuntu6 0
500 http://us.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
100 /var/lib/dpkg/status
Description: Ubuntu Wily Werewolf (development branch)
Release: 15.10
I expected to read how ubuntu policy load works and not how it worked
in an old version. Instead I got how it works in 14.10 and earlier and
could not read how apparmor policy is loaded. I think this should be
updated.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: apparmor 2.10-0ubuntu6
ProcVersionSignature: Ubuntu 4.2.0-7.7-generic 4.2.0
Uname: Linux 4.2.0-7-generic x86_64
ApportVersion: 2.18.1-0ubuntu1
Architecture: amd64
CurrentDesktop: LXDE
Date: Sat Sep 12 20:44:10 2015
InstallationDate: Installed on 2014-09-30 (347 days ago)
InstallationMedia: Lubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140930)
JournalErrors:
No journal files were found.
-- No entries --
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.2.0-7-generic root=/dev/sdb1 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw nomdmonddf nomdmonisw
SourcePackage: apparmor
UpgradeStatus: Upgraded to wily on 2015-08-07 (36 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1495170/+subscriptions
Follow ups
