Control: severity -1 minor
Control: tag -1 + upstream
Dear Gabriel,
Gabriel Filion:
> Severity: critical
> Justification: breaks unrelated software
Let's sort this out first as there seems to be a misunderstanding.
IMO this bug is not RC because:
1. The profile this bug report is about is not enforced by default;
it's not even shipped in /etc/apparmor.d. It takes 2 manual steps
to enforce it, so thankfully, we're far from shipping a broken
default configuration :)
2. This profile is shipped in a directory whose README says:
The profiles in this directory are not turned on by default
because they are not as mature as the profiles in
/etc/apparmor.d/.
In some cases, it is because the profile hasn't been updated to
work with newer code; in other cases, it because any benefit
provided by the profile is much less than the potential for
causing problems.
In short, feel free to try these profiles if you wish, but be
aware that they may not work on default configurations, let alone
your specific configuration.
If you came across instructions that told you to enforce such profiles
and that did not point you to the aforementioned warning, then I'm
very sorry! I'll treat this as a RC bug. Please point me to that doc
and I'll fix it ASAP. Thanks in advance!
> I've started using apparmor very recently,
Cool, thanks a lot :)
> and when I rebooted to activate the kernel part, I didn't notice the
> issue below.. but a couple reboots afterwards I couldn't obtain
> a DHCP address anymore for wired and wifi interfaces.
Thanks for reporting this. I'm sorry this profile broke an essential
part of your system. I'm not surprised though: to the best of my
knowledge, nobody is actively using this profile on, and maintaining
this profile for, Debian. Quite some paths in it don't match where
things are shipped in Debian. This is why we don't enable this profile
by default.
The good news is that there is a dhclient profile available elsewhere,
that works way better on Debian: see #795467.
The bad news is that the current situation is very confusing.
One might expect that Ubuntu, as the main contributor to AppArmor
upstream, would keep the upstream profile in sync' with what they are
shipping in their distro, but it's not the case currently; there are
probably historical reasons for it and I understand it may not be high
on the priority list at the moment since they have something that
works fine for them.
Ideally, someone would upstream the (upstream - Ubuntu profile) delta.
And then we can decide whether we ship it via isc-dhcp-client
(synchronizing it regularly from src:apparmor) or in the
apparmor-profiles package.
Cheers,
--
intrigeri
