[Bug 466315] Re: bind9 jaunty to karmic upgrade causes initial apparmor audit with openssl.cnf, seems fixed by installing apparmor-profiles but not really

[Jamie Strandboge]

Ok, I now know the problem. What is happening is that the AppArmor profile for 9.10 added this line to the profile:
  /etc/ssl/openssl.cnf r,

On upgrade, the package reloads the profile with (see debian/bind9.postinst):
  apparmor_parser -r "$APP_PROFILE" || true

This was fine up until apparmor in 9.10 added cache files (which was
after this change was made). When you install apparmor-profiles, it
restarts apparmor via the initscript, which regenerates all the cache
files. So apparmor-profiles has nothing to do with it-- it just happened
to trigger regenerating the cache files.

I believe the fix to be to change the postinst script to have:
  apparmor_parser -T -W -r "$APP_PROFILE" || true

This will force writing of the cache and should fix this. LaMont, can
you handle this in your next upload for Lucid?


** Changed in: bind9 (Ubuntu)
       Status: Confirmed => Triaged

** Changed in: bind9 (Ubuntu)
   Importance: Undecided => Medium

** Changed in: bind9 (Ubuntu)
     Assignee: Jamie Strandboge (jdstrand) => LaMont Jones (lamont)

** Summary changed:

- bind9 jaunty to karmic upgrade causes initial apparmor audit with openssl.cnf, seems fixed by installing apparmor-profiles but not really
+ bind9 apparmor cache files not regenerated on upgrade

-- 
bind9 apparmor cache files not regenerated on upgrade
https://bugs.launchpad.net/bugs/466315
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in ubuntu.