[Pkg-dns-devel] Bug#893005: bind9: incorrect apparmor profile name in d/rules

Thu Mar 15 13:35:37 UTC 2018

Package: bind9
Version: 9.11.2.P1-1
Severity: normal

Dear Maintainer,

bind9 specifies an apparmor profile like this in d/rules:

    dh_apparmor -pbind9 --profile-name=usr.bin.named

But the profile itself is usr.sbin.named:

    debian/extras/apparmor.d/usr.sbin.named

This generates an incorrect postinst snippet and the local/ include bit is
not generated:

(...)
if [ "$1" = "configure" ]; then
    APP_PROFILE="/etc/apparmor.d/usr.bin.named"
    if [ -f "$APP_PROFILE" ]; then
        # Add the local/ include
        LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.bin.named"

        test -e "$LOCAL_APP_PROFILE" || {
            mkdir -p `dirname "$LOCAL_APP_PROFILE"`
            install --mode 644 /dev/null "$LOCAL_APP_PROFILE"
        }
(...)

APP_PROFILE with the name usr.bin.named does not exist, and the rest of the
code isn't run.

Apparmor fails to reload because of the missing local/ file:

# systemctl status apparmor.service
● apparmor.service - AppArmor initialization
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor
preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-03-15 13:22:40 UTC; 4s
ago
     Docs: man:apparmor(7)
           http://wiki.apparmor.net/
  Process: 1250 ExecStart=/etc/init.d/apparmor start (code=exited,
status=123)
 Main PID: 1250 (code=exited, status=123)

Mar 15 13:22:40 touching-fish systemd[1]: Starting AppArmor
initialization...
Mar 15 13:22:40 touching-fish apparmor[1250]: Starting AppArmor
profiles:AppArmor parser error for /etc/apparmor.d/usr.sbin.named in
/etc/apparmor.d/usr.sbin.named at line 69: Could not open 'local/
usr.sbin.name
d'
Mar 15 13:22:40 touching-fish apparmor[1250]: AppArmor parser error for
/etc/apparmor.d/usr.sbin.named in /etc/apparmor.d/usr.sbin.named at line
69: Could not open 'local/usr.sbin.named'
Mar 15 13:22:40 touching-fish apparmor[1250]:  failed!
Mar 15 13:22:40 touching-fish systemd[1]: apparmor.service: Main process
exited, code=exited, status=123/n/a
Mar 15 13:22:40 touching-fish systemd[1]: apparmor.service: Failed with
result 'exit-code'.
Mar 15 13:22:40 touching-fish systemd[1]: Failed to start AppArmor
initialization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20180315/59ee87cd/attachment.html>