From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: John Johansen <john.johansen@canonical.com>,
Seth Arnold <seth.arnold@canonical.com>
Cc: linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: regression in 4.14-rc2 caused by apparmor: add base infastructure for socket mediation
Date: Mon, 02 Oct 2017 22:15:07 -0700 [thread overview]
Message-ID: <1507007707.3082.16.camel@HansenPartnership.com> (raw)
In-Reply-To: <e6c9af5c-ca42-ee35-5cc0-1a3ba80144b9@canonical.com>
On Mon, 2017-10-02 at 21:11 -0700, John Johansen wrote:
> On 10/02/2017 09:02 PM, James Bottomley wrote:
> >
> > The specific problem is that dnsmasq refuses to start on openSUSE
> > Leap 42.2. The specific cause is that and attempt to open a
> > PF_LOCAL socket gets EACCES. This means that networking doesn't
> > function on a system with a 4.14-rc2 system.
> >
> > Reverting commit 651e28c5537abb39076d3949fb7618536f1d242e
> > (apparmor: add base infastructure for socket mediation) causes the
> > system to function again.
> >
>
> This is not a kernel regression,
Regression means something that worked in a previous version of the
kernel which is broken now. This problem falls within that definition.
> it is because opensuse dnsmasque is starting with policy that
> doesn't allow access to PF_LOCAL socket
Because there was no co-ordination between their version of the patch
and yours. If you're sending in patches that you know might break
systems because they need a co-ordinated rollout of something in
userspace then it would be nice if you could co-ordinate it ...
Doing it in the merge window and not in -rc2 would also be helpful
because I have more expectation of a userspace mismatch from stuff in
the merge window.
> Christian Boltz the opensuse apparmor maintainer has been working
> on a policy update for opensuse see bug
>
> https://bugzilla.opensuse.org/show_bug.cgi?id=1061195
Well, that looks really encouraging: The line about "To give you an
impression what "lots of" means - I had to adjust 40 profiles on my
laptop". The upshot being apart from a bandaid, openSUSE still has no
co-ordinated fix for this.
James
next prev parent reply other threads:[~2017-10-03 5:15 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-03 4:02 regression in 4.14-rc2 caused by apparmor: add base infastructure for socket mediation James Bottomley
2017-10-03 4:11 ` John Johansen
2017-10-03 5:15 ` James Bottomley [this message]
2017-10-03 6:32 ` John Johansen
2017-10-03 6:48 ` Vlastimil Babka
2017-10-03 7:17 ` John Johansen
2017-10-24 6:39 ` Thorsten Leemhuis
2017-10-24 11:03 ` James Bottomley
2017-10-24 11:57 ` John Johansen
2017-10-26 17:36 ` Linus Torvalds
2017-10-26 18:54 ` James Morris
2017-10-26 19:02 ` Linus Torvalds
2017-10-26 19:06 ` James Morris
2017-10-26 20:08 ` John Johansen
2017-10-26 19:59 ` John Johansen
2017-10-24 15:19 ` Vlastimil Babka
2017-10-24 11:31 ` John Johansen
2017-10-26 9:11 ` Thorsten Leemhuis
2017-10-26 18:13 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1507007707.3082.16.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=seth.arnold@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.