[pkg-ntp-maintainers] Bug#824767: The new apparmor profile includes a non-existing file, causes apparmor not to start

Marga Manterola marga at google.com
Thu May 19 14:17:02 UTC 2016 

Package: ntp
Version: 1:4.2.8p7+dfsg-3
Severity: important

Hi!

ntp now ships an apparmor profile, which is nice.  However, for users that
actually have apparmor enabled, this new package is causing apparmor to
fail to start:

● apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2016-05-19 16:02:53 CEST;
1min 31s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 54241 ExecStop=/etc/init.d/apparmor stop (code=exited,
status=0/SUCCESS)
  Process: 54256 ExecStart=/etc/init.d/apparmor start (code=exited,
status=123)

... systemd[1]: Starting LSB: AppArmor initialization...
...  apparmor[54256]: Starting AppArmor profiles:AppArmor parser error for
/etc/apparmor.d/usr.sbin.ntpd in /etc/apparmor.d/usr.sbin.ntpd at line 81:
Could not open 'local/usr.sbin.ntpd'
...  apparmor[54256]: AppArmor parser error for
/etc/apparmor.d/usr.sbin.ntpd in /etc/apparmor.d/usr.sbin.ntpd at line 81:
Could not open 'local/usr.sbin.ntpd'
...  apparmor[54256]:  failed!
...  systemd[1]: apparmor.service: Control process exited, code=exited
status=123
...  systemd[1]: Failed to start LSB: AppArmor initialization.
...  systemd[1]: apparmor.service: Unit entered failed state.
...  systemd[1]: apparmor.service: Failed with result 'exit-code'.

This is due to the fact that /etc/apparmor.d/usr.sbin.ntpd includes
local/usr.sbin.ntpd which doesn't exist.  Other packages that ship files in
/etc/apparmor.d which include files in local, also ship the files in local:

marga:/etc/apparmor.d$ cat local/usr.bin.evince
# Site-specific additions and overrides for usr.bin.evince.
# For more details, please see /etc/apparmor.d/local/READM

marga:/etc/apparmor.d$ cat local/usr.sbin.cups-browsed
# Site-specific additions and overrides for usr.sbin.cups-browsed.
# For more details, please see /etc/apparmor.d/local/README.

This should be fixed by adding a call to dh_apparmor (see for example:
https://sources.debian.net/src/evince/3.20.0-3/debian/rules/), I think this
should do
the trick:
dh_apparmor --profile-name=usr.sbin.ntp -pntp

While this is easy to workaround by just touching the file, I don't think
it's acceptable
for ntp to break my already working apparmor installation, so this could
arguably
be severity critical with justification: makes unrelated software on the
system break.

Please fix ASAP.

Thanks.
-- 
Cheers,
Marga
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20160519/23eba9e5/attachment.html>

More information about the pkg-ntp-maintainers mailing list