[pkg-ntp-maintainers] Bug#769146: openntpd: fails to upgrade from 'sid' - trying to overwrite /etc/apparmor.d/usr.sbin.ntpd

Sat May 23 12:45:16 UTC 2015

On 23/05/15 04:17, intrigeri wrote:
> Hi,
>
> Andreas Beckmann wrote (11 Nov 2014 19:20:37 GMT) :
>>   Selecting previously unselected package openntpd.
>>   Preparing to unpack .../openntpd_20080406p-11_amd64.deb ...
>>   Unpacking openntpd (20080406p-11) ...
>>   dpkg: error processing archive /var/cache/apt/archives/openntpd_20080406p-11_amd64.deb (--unpack):
>>    trying to overwrite '/etc/apparmor.d/usr.sbin.ntpd', which is also in package apparmor-profiles-extra 1.4
>>   Errors were encountered while processing:
>>    /var/cache/apt/archives/openntpd_20080406p-11_amd64.deb
> The ntp and openntpd packages both ship /usr/sbin/ntpd, and rightfully
> conflict with each other. Since we have a 1-to-1 mapping between
> absolute binary names and AppArmor profile (unless we bother confining
> stuff via the initscript or systemd unit file, the later not being
> supported in sid yet), I think the conflict must be reflected in the
> packages that ship the AppArmor profiles. So I see a few solutions:
>
> 1. Have openntpd conflict with apparmor-profiles-extra. This would be
>    sad, since it prevents openntpd users from benefiting from other,
>    unrelated profiles shipped in apparmor-profiles-extra. OTOH this is
>    very easy and can be temporary, until we can e.g. rename the
>    profile shipped by openntpd to e.g. system_openntpd, and apply it
>    with AppArmorProfile= (see systemd.exec(5), that should be possible
>    soon after Jessie 8.1 is out.
>
> 2. Remove usr.sbin.ntpd from apparmor-profiles-extra or from openntpd.
>    Same as above, this can be temporary, until systemd v210+ reaches
>    sid and we have nicer solutions.
>
> 3. Move the usr.sbin.ntpd profile from apparmor-profiles-extra to ntp.
>    This seems to be the obvious best long-term solution, I think.
>
> Thoughts, opinions, volunteers?
>
> Dererk: I have added the 'help-needed' usertag for
> user=pkg-apparmor-team at lists.alioth.debian.org, so that this bug is on
> the AppArmor team's radar.
Thanks intrigeri!

I'm up to whichever option you apparmor jedys consider appropiate. I
don't mind any of the scenarios described, but I would prefer to allow
users make the most out of the apparmor-profiles-extra collection as
well, which seems to conflict with option 1 (at least in the short term).

I'm 100% in agreement with you, and that the more appropiate, longterm
alternative on all three scenarios would be to convince ntp guys to
import the ntp apparmor profile from apparmor-profiles-extra into ntp
itself, which I honestly think makes sense (and that is what openntpd
does today too).

NTP Team, Hi!
What would you say about importing ntp apparmor's hardening profile into
ntp package?
This carries a little bit of work, trivial in my opinion, that is
installing the ntp profile, build-depend on dh-apparmor and to Suggest
on apparmor for activation runtime.
I wouldn't think the changes are more than 4 or 5 lines of diff.

What do you think?

Cheers,

Dererk

-- 
BOFH excuse #306:
CPU-angle has to be adjusted because of vibrations coming from the nearby road

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20150523/f304a532/attachment.sig>