Summary: | sys-apps/apparmor not working with sys-kernel/vanilla-sources | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Oleg Gawriloff <barzog> |
Component: | Hardened | Assignee: | Michael Palimaka (kensington) <kensington> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | hardened |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Oleg Gawriloff
2015-03-16 12:05:18 UTC
(In reply to Oleg Gawriloff from comment #0) > When using sys-apps/apparmor-2.8.4 and sys-kernel/vanilla-sources-3.4.106 > (or 3.10.71) we have following error during startup of apparmor init.d: > AppArmor parser error for /etc/apparmor.d/usr.sbin.nscd in > /etc/apparmor.d/usr.sbin.nscd at line 19: ???????????? ??????????? > block_suspend. I'm assuming the error message there is 'Invalid capability', which is expected since BLOCK_SUSPEND exists only in >=3.5 (it was called EPOLLWAKEUP before that). Yes, I'm figured it out. And commented in nscd file (I assume there should be also check for kernel version for that not support it, or at least not bundle it to load at startup if there can be a kernel vesion dependency). PS: After appying patches from kernel-patches/3.4 to vanilla-sources all working as intended. There's no version check because there isn't any reliable information about what the minimum should be. It's not possible to have AppArmor patch the kernel automatically because a package cannot interfere with the install files of another package. Then at least docs at http://wiki.gentoo.org/wiki/AppArmor should be changed with mention that patching of vanilla-sources is needed. I moved to hardened-sources-3.14 (expecting that there apparmor will be usable without any patches) and found another 'missing patch problem' that is described here: https://forums.gentoo.org/viewtopic-p-7694104.html It seems that it requires at least apparmor 2.9.4 which is not in portage now and again applying patches from aparmor sources to kernel-sources. So, it turns out that apparmor support in Gentoo is somewhat broken, and keeping in mind https://bugs.gentoo.org/show_bug.cgi?id=496040 which exactly says: "AppArmor support in Gentoo is pretty much limited to what upstream provides due to manpower/interest. The hardened team isn't able to take care of yet another MAC and although I'm the primary AppArmor maintainer, my interest is more academic so I can't vouch for and maintain a patch set for hardened-sources." There is smth that should be pointed out at documentation at http://wiki.gentoo.org/wiki/AppArmor. And if _that_ MAC is not supported the question is _which_ MAC is supported? It is a wiki after all, so feel free to update it with any new information. Otherwise, unfortunately the situation hasn't changed so support is still limited to vanilla upstream. Yes. But as I see Gentoo a lit bit unconvient for any apparmor uses, because in current state 'gentoo way' is make a separate vanilla/hardened overlay with appropriate apparmor patches. Is there any problems to add those 4 patches from apparmor to hardened sources? Previously they were declined from hardened-sources since nobody was working to test them and keep them up to date. Unfortunately it seems unlikely that anyone is going to pick up maintaining the custom patchset. |