The current init script has this function called get_active_profiles(). The problem with that is that for example during restart or stopping the service ( remove_profiles() invokes it ) it tries to remove the active profiles one-by-one, however there are profiles which have subprofiles, see example below. gaia3 balage # cat /sys/kernel/security/apparmor/profiles /usr/sbin/ntpd (enforce) /usr/sbin/syslog-ng (enforce) /usr/sbin/sshd (enforce) /usr/sbin/sshd//PRIVSEP_MONITOR (enforce) /usr/sbin/sshd//PRIVSEP (enforce) /usr/sbin/sshd//EXEC (enforce) /usr/sbin/sshd//AUTHENTICATED (enforce) /usr/sbin/dnsmasq (enforce) Now as you see the profile "/usr/sbin/sshd" will be removed first, however it will automatically remove the subprofiles too, so when the init script tries to remove the subprofiles, they have been already removed and printf will throw an error. I don't know what solution would be elegant here but this small patch fixed it for me. --- apparmor-init 2013-05-27 10:09:34.342964855 +0200 +++ /etc/init.d/apparmor 2013-06-03 16:06:27.152291221 +0200 @@ -103,7 +103,7 @@ } get_active_profiles() { - PROFILES=`sed -e "s/ (\(enforce\|complain\))//" "${SECURITYFS}/profiles"` + PROFILES=`sed -e "s/ (\(enforce\|complain\))//" "${SECURITYFS}/profiles" | grep -v \/\/` echo $PROFILES } Reproducible: Always
Thanks for the report. I have rewritten the init script to act as a wrapper around upstream's RC functions. This will improve consistency with other distros and will solve a couple of bugs like this one. http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=670625009874671eb04622eca3b1fe3a3ccf274c