[Bug 203898] [NEW] slapcat broken when default apparmor profile is enabled

Jamie Strandboge jamie at ubuntu.com
Wed Mar 19 13:07:55 GMT 2008

Public bug reported:

A simple 'sudo slapcat -l ./foo.ldif' results in this apparmor entry:

Mar 19 12:30:07 hardy-amd64-sec kernel: [    0.000000]
audit(1205929807.141:3): operation="inode_create" request_mask="w::"
denied_mask="w::" name="/home/jamie/foo.ldif" pid=4384
profile="/usr/sbin/slapd" namespace="default"

The reason why is because slapcat is a symlink to slapd, and apparmor
evaluates symlinks to the name of the file they point to.  One solution
might be to use hard links instead of symlinks.

As slapacl, slapadd, slapauth, slapdn, slapindex, slappasswd and
slaptest are also symlinks, these are all likely broken as well.

** Affects: openldap2.3 (Ubuntu)
     Importance: Undecided
     Assignee: Jamie Strandboge (jamie-strandboge)
         Status: Confirmed

** Changed in: openldap2.3 (Ubuntu)
     Assignee: (unassigned) => Jamie Strandboge (jamie-strandboge)
       Status: New => Confirmed

slapcat broken when default apparmor profile is enabled
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap2.3 in ubuntu.

More information about the Ubuntu-server-bugs mailing list