[pkg-apparmor] Bug#768415: Bug#769146: openntpd: fails to upgrade from 'sid' - trying to overwrite /etc/apparmor.d/usr.sbin.ntpd

intrigeri intrigeri at debian.org
Fri Jan 1 13:43:49 UTC 2016 

Hi,

thanks for following up on this!

Dererk wrote (31 Dec 2015 14:54:08 GMT) :
> Some time and ideas have been shared around this issue. It seems to me
> that the smartest option right now is to split usr.sbin.ntpd apparmor
> profile from apparmor-profile-extras and get it back into the ntp
> package, as It originally was, AFAICS on #769146.

I don't think the ntp package in Debian ever shipped anything
AppArmor -related, so I'm not sure what "as it originally was" refers
to. Perhaps to Ubuntu's ntp package?

Anyway, yes, on the short term moving the two affected conffiles
(usr.sbin.ntpd and tunables/ntpd) to the ntp package is the best we
can do. I'm not sure what is the best thing to do on the long term,
and we _might_ have to move these files somewhere else again in the
future, if there's interest in working on
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768415#10 (which
I personally doubt, so better not block on that).

> Kurt/intrigeri,
> As for what we discussed at latest Debconf and as for #769146, it seems
> that the three of us agree on it. If that is still the case, I would be
> extremely thankful if we could coordinate this as soon as possible.
> What do you think the most appropriate procedure might be? Would you say
> removing usr.sbin.ntpd profile from apparmor-profile-extras first and
> then get it back in ntp as soon as it reaches testing is fine?
> Ideas?

Yes, we can trivially upload a new apparmor-profile-extras that does
not ship the ntpd profile anymore. I can handle it if required, but
I'd rather see people who have a stronger interest in confining ntpd
(Felix, maybe?) take care of what needs to be done on the
AppArmor side.

On the src:ntp side of things, the easy part of the work that needs to
be done is basically importing the relevant parts of the Ubuntu diff,
since they have been shipping the AppArmor bits for years there.

The harder part, I believe, is handling the "moving conffiles between
packages" problem, which is not trivial to handle nicely in case there
are local changes IIRC. For usr.sbin.ntpd we can perhaps ignore this
problem, as we provide a facility to extend it
(/etc/apparmor.d/local/usr.sbin.ntpd). For tunables/ntpd, I'm less
sure we can ignore the problem, since it's a _tunable_ whose content
is meant to be modified by the local admin. Felix, do you want to take
care of it?

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list