Package Details: apparmor 2.10.1-1

Git Clone URL: https://aur.archlinux.org/apparmor.git (read-only)
Package Base: apparmor
Description: Linux application security framework - mandatory access control for programs (metapackage)
Upstream URL: http://wiki.apparmor.net/index.php/Main_Page
Licenses: GPL
Submitter: Harvie
Maintainer: MarcinWieczorek
Last Packager: MarcinWieczorek
Votes: 80
Popularity: 2.930990
First Submitted: 2010-10-28 14:55
Last Updated: 2016-06-21 14:33

Latest Comments

peetaur commented on 2016-06-25 07:16

Either this:
sudo ln -s LibAppArmor/_LibAppArmor.cpython-35m-x86_64-linux-gnu.so /lib/python3.5/site-packages

or this:
sudo mv /lib/python3.5/site-packages/LibAppArmor/_LibAppArmor.cpython-35m-x86_64-linux-gnu.so /lib/python3.5/site-packages

seems to fix the error
ImportError: No module named '_LibAppArmor'


@MarcinWieczorek shouldn't this so file be in site-packages then, not site-packages/LibAppArmor?

kyleh commented on 2016-06-23 20:04

After the last update I can't run several scripts (like aa-genprof aa-complain aa-enforce) unless I manually set the PYTHON and PYTHONPATH variables to python3.5 paths. Otherwise I get an importerror:
http://pastebin.com/HDLzcR3H

adventurer commented on 2016-04-13 17:13

@teekay: Thanks! I just disowned it.

teekay commented on 2016-04-13 16:45

@adventurer: i'm innocent. No idea how that happened. Just hit the disown button.

adventurer commented on 2016-04-13 15:52

What? I asked to be removed as co-maintainer as I don't use Arch any more - but now I'm registered as the maintainer of this package! What's all this good for?

teekay commented on 2016-04-12 16:38

Please someone take over that package. I'm not running an Arch server with need for AppArmor anymore, so can't really test.

Version 2.11 will be out soon.

adventurer commented on 2015-10-07 16:06

@teekay: Please remove me as co-maintainer. I'm sorry but I moved to another distro. "The times they are a-changin'" (Bob Dylan)

ddreamer commented on 2015-08-20 16:31

Finally, I have worked it out though a bug with rEfInd made me in trouble for days.

adventurer commented on 2015-08-12 18:06

@ddreamer: You compiled your own AppArmor-enabled kernel with those options mentioned in the wiki, didn't you? If not, installing apparmor is useless.

ddreamer commented on 2015-08-12 15:42

Hi,

I just installed the latest apparmor from this AUR and activated the kernel module by "apparmor=1 security=apparmor" (as instructed in https://wiki.archlinux.org/index.php/AppArmor).

However, it failed.

<<My 5 tests>>
1. cat /sys/module/apparmor/parameters/enabled
File not found

2. systemctl status apparmor.service
apparmor.service - AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 三 2015-08-12 23:01:42 CST; 16min ago
Process: 1900 ExecStart=/usr/bin/apparmor_load.sh (code=exited, status=1/FAILURE)
Main PID: 1900 (code=exited, status=1/FAILURE)
8月 12 23:01:41 ddreamer.X555LD systemd[1]: Starting AppArmor profiles...
8月 12 23:01:42 ddreamer.X555LD systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
8月 12 23:01:42 ddreamer.X555LD systemd[1]: Failed to start AppArmor profiles.
8月 12 23:01:42 ddreamer.X555LD systemd[1]: apparmor.service: Unit entered failed state.
8月 12 23:01:42 ddreamer.X555LD systemd[1]: apparmor.service: Failed with result 'exit-code'.

3. dmesg
[ 5.627096] systemd[1]: apparmor.service: Unit entered failed state.
[ 5.640443] systemd[1]: apparmor.service: Failed with result 'exit-code'.

4. sudo aa-status
apparmor module is not loaded.

5. sudo /usr/bin/apparmor_parser -r $(find /etc/apparmor.d/ -maxdepth 1 -type f)
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
???/proc/mounts ??????? fs,??????
??? --subdomainfs ???

================
Somebody helps me ?

ddreamer commented on 2015-08-12 15:27

Hi,

I just installed the latest apparmor from this AUR and activated the kernel module by "apparmor=1 security=apparmor" (as instructed in https://wiki.archlinux.org/index.php/AppArmor).

However, it failed.

<<My 4 tests>>
1. cat /sys/module/apparmor/parameters/enabled
File not found

2. systemctl status apparmor.service
apparmor.service - AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 三 2015-08-12 23:01:42 CST; 16min ago
Process: 1900 ExecStart=/usr/bin/apparmor_load.sh (code=exited, status=1/FAILURE)
Main PID: 1900 (code=exited, status=1/FAILURE)
8月 12 23:01:41 ddreamer.X555LD systemd[1]: Starting AppArmor profiles...
8月 12 23:01:42 ddreamer.X555LD systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
8月 12 23:01:42 ddreamer.X555LD systemd[1]: Failed to start AppArmor profiles.
8月 12 23:01:42 ddreamer.X555LD systemd[1]: apparmor.service: Unit entered failed state.
8月 12 23:01:42 ddreamer.X555LD systemd[1]: apparmor.service: Failed with result 'exit-code'.

3. dmesg
[ 5.627096] systemd[1]: apparmor.service: Unit entered failed state.
[ 5.640443] systemd[1]: apparmor.service: Failed with result 'exit-code'.

4. #aa-status
apparmor module is not loaded.

================
Somebody helps me ?

teekay commented on 2015-08-11 16:35

@ygyfygy: please try a possible fix (no pkgrel bump, just download it again)

Also make sure you do have podchecker in /usr/bin/core_perl/

ygyfygy commented on 2015-08-09 13:39

Doesn't build:

-> Building: apparmor-libapparmor
Running aclocal
Running autoconf
Running libtoolize
Running automake
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/\${ <-- HERE ([^ \t=:+{}]+)}/ at /usr/bin/automake line 3936.
configure.ac:8: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. For more info, see:
configure.ac:8: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation
doc/Makefile.am:10: warning: subst .2,.pod,$(man_MANS: non-POSIX variable name
doc/Makefile.am:10: (probably a GNU make extension)
doc/Makefile.am:10: warning: subst .3,.pod,$(man_MANS: non-POSIX variable name
doc/Makefile.am:10: (probably a GNU make extension)
doc/Makefile.am:17: warning: '%'-style pattern rules are a GNU make extension
doc/Makefile.am:26: warning: '%'-style pattern rules are a GNU make extension
src/Makefile.am:60: warning: '%'-style pattern rules are a GNU make extension
src/Makefile.am:1: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
testsuite/Makefile.am:5: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for style of include used by make... GNU
checking for gcc... /usr/bin/gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether /usr/bin/gcc accepts -g... yes
checking for /usr/bin/gcc option to accept ISO C89... none needed
checking whether /usr/bin/gcc understands -c and -o together... yes
checking dependency style of /usr/bin/gcc... gcc3
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
checking for bison... bison -y
checking for a sed that does not truncate output... /usr/bin/sed
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for swig... /usr/bin/swig
checking whether the libapparmor debug output should be enabled... no
checking whether the libapparmor man pages should be generated... yes
checking for podchecker... no
configure: error:
The podchecker program was not found in the default path. podchecker is part of
Perl, which can be retrieved from:

https://www.perl.org


:(. I recompiled my kernel to use AppArmor.

teekay commented on 2015-07-31 04:21

md5sum was wrong, indeed - no idea how that happened. I did build and was using that package. Anyways, switched to sha256sums.

Thanks, mattoufoutu.

mattoufoutu commented on 2015-07-30 20:25

Checksum for apparmor archive (apparmor-2.10.tar.gz) seems to be wrong, it should be 9fd9b6b3525882fdb9441d0f0a8f9162.
Also, as MD5 is now considered obsolete and shouldn't be trusted anymore, it would be nice to add SHA256 sums to the PKGBUILD.

teekay commented on 2015-07-30 18:36

@adventurer: added. Take care! :-)

adventurer commented on 2015-07-30 17:53

@teekay: In principle I would be willing to co-maintain. Unfortunately, I've never done it before, so I have to make myself familiar with the whole process of creating and uploading packages etc. We'll see ...

teekay commented on 2015-07-30 17:09

Updated.

Any volunteers for the co-maintainers?

adventurer commented on 2015-07-19 11:07

Newest stable version 2.10 published on 2015-07-14: https://launchpad.net/apparmor

Release notes: http://wiki.apparmor.net/index.php/ReleaseNotes_2_10

teekay commented on 2015-05-03 04:59

@tequa: bison is part of base-devel group. After=local-fs.target makes sense, added. Thanks!

@ievans3024: fixed.

ievans3024 commented on 2015-05-01 18:42

Please fix the PKGBUILD so that arch= are consistently labeled for every subpackage. apparmor fails to install because apparmor-profiles, apparmor-utils and apparmor-vim are labeled arch=('any') while the base package arch is set to ('i686' 'x86_64')

This causes pacman/pacaur to look for apparmor-profiles-2.9.1-1-x86_64.pkg.tar.xz, even though the file created by makepkg is apparmor-profiles-2.9.1-1-any.pkg.tar.xz, for example.

adventurer commented on 2015-04-27 09:42

AppArmor 2.9.2 released:
https://launchpad.net/apparmor/+announcement/13418

tequa commented on 2015-03-08 19:43

2 feature requests:
- It seems that 'bison' is another build dependency needed for this package.
- for my installation the apparmor.service needs an additional line "After=local-fs.target" to be able to access /var/log/apparmor.init.log on boot.

Harvie commented on 2014-11-18 02:00

Well... it's really important to make sure that apparmor profiles are loaded as soon as possible (= once filesystems with apparmor and profiles are mounted) and before starting any services.

I am not sure which target is best for this... Probably i should read something about systemd's targets to make this clear.

teekay commented on 2014-10-25 08:11

@falconindy: thanks. I commited it, but I don't think it makes sense. The basic.target sounds like the right place to be for apparmor. It would be interesting to know which services caused problems for that user.

falconindy commented on 2014-10-24 19:22

Your service doesn't do what you actually want it to -- start before basic.target is activated. As a result, profiles are loaded in parallel with services and may not be applied properly. I'd suggest the following unit instead:

https://paste.xinu.at/C1z/

(I'm not an apparmor user, but someone in #systemd on freenode used this unit and pointed out the ordering problem).

seletskiy commented on 2014-03-29 13:08

@Lekensteyn: No, there is no problem with modules, everything works just fine. Also, there is weak (or no at all) mount restriction in stock kernel, which was critical for me, so I've decided to rebuild kernel with according patch.

Lekensteyn commented on 2014-03-29 13:04

I see, you just take the stock arch kernel config, in addition enable apparmor and make bzImage. Won't all modules get marked with an OOT taint then? Personally I just use a stripped config, throw the PKGBUILD and related files on a fast build machine and fetch it a few minutes later.

For me it doesn't really matter that the profile list is invisible, as long as the rules can be loaded.

seletskiy commented on 2014-03-29 12:54

@Lekensteyn: By the way, apparmor in stock kernel is pretty useless (e.g., you can not see profiles list). However, it is possible to recompile kernel without modules, it will be much faster to do; in that case apparmor kernel will use native kernel modules. I use this kind of kernel on production servers (https://github.com/seletskiy/arch-apparmor)

Lekensteyn commented on 2014-03-29 11:27

Just to let you know, there is a discussion[1] on arch-general to drop apparmor support from the stock kernel. This will require you to build your own kernel to have apparmor support.

[1]: https://mailman.archlinux.org/pipermail/arch-general/2014-March/035638.html

AnAkkk commented on 2014-03-26 10:32

There's a profile for skype here as well:
https://wiki.archlinux.org/index.php/Skype#AppArmor
Dunno which one is the best.

teekay commented on 2014-03-25 19:32

@Nowaker: :D
I just added a fixed _majorver=2.8 as other hacks are just annoying..

Nowaker commented on 2014-03-25 19:27

@teekay You are right, Chrome aggressive cache just hit me. Without ANY possibility to turn it completely off. Anyway, it looks like AUR doesn't know what ${pkgver%.*} means. I'd prefer to have some manual _pkgver= just below pkgver= so AUR interface renders the link correctly. But it's up to you.

@Lekensteyn, @Iqualfragile, thanks, I will try them.

teekay commented on 2014-03-25 19:17

@Nowaker: not sure what you mean with where to put the fake _bigver. Are you maybe looking at an old version of the PKGBUILD (e.g. from browser cache)? I dropped those two "test $BASH_VERSION test bigver blah" conditionals, because it makes the PKGBUILD look ugly.

Lekensteyn commented on 2014-03-25 18:47

Perhaps you can also get some inspiration from:
https://github.com/Lekensteyn/aur/blob/master/apparmor/usr.bin.skype

Not sure if it still works due to pulseaudio changes.

Iqualfragile commented on 2014-03-25 18:40

I already have a skype profile, which is based on a profile I found online. You could base your work on that
http://bpaste.net/show/LdR726IAWMuK3Lbg4pTd/

Nowaker commented on 2014-03-25 18:33

@teekay, You could add a fake bigver="..." before conditional bigver so sources list in AUR looks good.

In the next day I will write a profile for Skype and let you know how it works for me. Thanks for adopting!

teekay commented on 2014-03-25 17:41

Forgot one of the most important changes:

- fix all sample profiles wrt /usr merge

That one may cause file conflicts.
Again, backup your existing profiles before upgrading!

teekay commented on 2014-03-25 17:31

Okay, adopted. So, here's the update

- use sed -i in a prepare() fashion
- fix build to use make -C ... (fixes common/rules not found warnings)
- added backup() "hack" for profiles
- dropped ruby bindings
- use python3
- fixed vim file generation & installation
- remove the old conflicts/replaces galore

Please test and report any issues.
I advice anyone to do a backup of your generated apparmor.d profiles if you're upgrading - just in case.

teekay commented on 2014-03-25 16:04

@Nowaker & AnAkkk: I'm the mantainer of apparmor-stable-bzr. If you want I can adopt this one, too.

Nowaker commented on 2014-03-24 22:32

@AnAkkk Thanks for letting me know. I offered him to adopt this one and remove the latter.

AnAkkk commented on 2014-03-24 21:51

FYI this package seem to be the same and up to date https://aur.archlinux.org/packages/apparmor-stable-bzr/
Not sure if the two should be merged, but it might help upgrading it.

Nowaker commented on 2014-03-24 21:49

I asked the maintainer to upgrade or disown. Since he disowned, I adopted it and will fix the package ASAP.

AnAkkk commented on 2014-03-13 13:29

It works fine by just setting pkgver to 2.8.3 (and the matching MD5). It doesn't even need to use an older bison anymore to cmpile.

AnAkkk commented on 2014-03-07 10:47

Well, I'm not sure how much work it is. Isn't this package just the same but with missing systemd scripts though? https://aur.archlinux.org/packages/apparmor-essentials/

thestinger commented on 2014-03-07 00:52

@AnAkkk: Are you willing to put in the work to update it?

AnAkkk commented on 2014-03-07 00:46

Any chance this can be updated? The latest version is 2.8.3. Some of the profiles of the current one are outdated, for example this cause ntpd to fails reading some stuff it needs to access to.

seletskiy commented on 2014-01-29 12:07

For those ones who have problems with newest kernel ("Feature buffer full." error), here is patch to solve this issue:

--- PKGBUILD 2014-01-29 19:02:57.743319904 +0700
+++ PKGBUILD.new 2014-01-29 18:02:12.945156309 +0700
@@ -39,6 +39,7 @@
msg2 "Building: apparmor-parser"
cd "${srcdir}/${pkgbase}-${pkgver}/parser"
msg2 'Patching: apparmor-parser'
+ sed -e 's/FLAGS_STRING_SIZE 1024/FLAGS_STRING_SIZE 8192/' -i "${srcdir}/${pkgbase}-${pkgver}/parser/parser_main.c"
# Patch (maybe we can avoid patching by ./configuring things better)
patch=Makefile; { rm "$patch"
sed -e 's/pdflatex/true/g' > "$patch" # just workaround until we'll get pdflatex package

Lekensteyn commented on 2013-12-03 00:15

@soko1, see previous comments, you need an older bison.

soko1 commented on 2013-12-02 23:04

%name-prefix = "regex_"
^^^^^^^^^^^^^^
g++ -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -Wall -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter -D_GNU_SOURCE -std=c++0x -D_FORTIFY_SOURCE=2 -c -o parse.o parse.cc
parse.cc: In function 'int regex_parse(Node**, const char*)':
parse.cc:1233:30: error: too few arguments to function 'int regex_lex(YYSTYPE*, const char**)'
yychar = yylex (&yylval);
^
parse.y:39:5: note: declared here
int regex_lex(YYSTYPE *, const char **);
^
<builtin>: recipe for target 'parse.o' failed
make[1]: *** [parse.o] Error 1
make[1]: Leaving directory '/tmp/yaourt-tmp-root/aur-apparmor/src/apparmor-2.8.1/parser/libapparmor_re'
Makefile:240: recipe for target 'libapparmor_re/libapparmor_re.a' failed
make: *** [libapparmor_re/libapparmor_re.a] Error 2
==> ERROR: A failure occurred in build().
Aborting...
==> ERROR: Makepkg was unable to build apparmor.
==> Restart building apparmor ? [y/N]
==> --

Spheerys commented on 2013-09-20 12:47

I have an error during compiling :

==> Lancement de check()...
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/00_load.t ..................... ok
t/10_data.t ..................... ok
t/11_base64_fh.t ................ ok
t/12_nil.t ...................... ok
t/13_no_deep_recursion.t ........ ok
t/14_datetime_iso8601.t ......... skipped: DateTime::Format::ISO8601 not available
t/15_serialize.t ................ 1/20
# Failed test 'Fault-response content is correct'
# at t/15_serialize.t line 99.
# got: '<?xml version="1.0" encoding="us-ascii"?><methodResponse><fault><value><struct><member><name>faultCode</name><value><int>1</int></value></member><member><name>faultString</name><value><string>test</string></value></member></struct></value></fault></methodResponse>'
# expected: '<?xml version="1.0" encoding="us-ascii"?><methodResponse><fault><value><struct><member><name>faultString</name><value><string>test</string></value></member><member><name>faultCode</name><value><int>1</int></value></member></struct></value></fault></methodResponse>'
# Looks like you failed 1 test of 20.
t/15_serialize.t ................ Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/20 subtests
t/20_xml_parser.t ............... ok
t/21_xml_libxml.t ............... ok
t/25_parser_negative.t .......... ok
t/29_parserfactory.t ............ ok
t/30_procedure.t ................ ok
t/35_namespaces.t ............... ok
t/40_server.t ................... ok
t/40_server_xmllibxml.t ......... ok
t/41_server_hang.t .............. ok
t/50_client.t ................... ok
t/51_client_with_host_header.t .. ok
t/60_net_server.t ............... skipped: Net::Server not available
t/70_compression_detect.t ....... ok
t/90_rt50013_parser_bugs.t ...... ok
t/90_rt54183_sigpipe.t .......... ok
t/90_rt54494_blessed_refs.t ..... ok
t/90_rt58065_allow_nil.t ........ ok
t/90_rt58323_push_parser.t ...... ok

Test Summary Report
-------------------
t/15_serialize.t (Wstat: 256 Tests: 20 Failed: 1)
Failed test: 8
Non-zero exit status: 1
Files=25, Tests=958, 43 wallclock secs ( 0.16 usr 0.03 sys + 1.91 cusr 0.22 csys = 2.32 CPU)
Result: FAIL
Failed 1/25 test programs. 1/958 subtests failed.
make: *** [test_dynamic] Erreur 255
==> ERREUR : Une erreur s’est produite dans check().
Abandon...


What's going wrong ?

Lekensteyn commented on 2013-09-08 10:25

@afader You can install any version of bison afterwards, it is only needed during the build process. Personally I have put bison in IgnorePkg.

afader commented on 2013-09-08 10:21

Worked for me with bison 2.7. Would it be OK to upgrade bison again after installing?

Lekensteyn commented on 2013-09-05 07:49

crodjer, try removing your src/ directory (starting over the build) when you experience the bison issue.

crodjer commented on 2013-09-05 06:49

The build fails with this error:

cc -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -Wall -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter -D_GNU_SOURCE -Wstrict-prototypes -Wnested-externs -DPACKAGE=\"apparmor-parser\" -DLOCALEDIR=\"/usr/share/locale\" -DSUBDOMAIN_CONFDIR=\"/etc/apparmor\" -c -o parser_misc.o parser_misc.c
make[1]: Entering directory `/home/rohan/downloads/packages/apparmor/src/apparmor-2.8.1/parser/libapparmor_re'
g++ -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -Wall -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter -D_GNU_SOURCE -std=c++0x -D_FORTIFY_SOURCE=2 -c -o parse.o parse.cc
parse.cc: In function ‘int regex_parse(Node**, const char*)’:
parse.cc:1214:30: error: too few arguments to function ‘int regex_lex(YYSTYPE*, const char**)’
yychar = yylex (&yylval);
^
parse.y:39:5: note: declared here
int regex_lex(YYSTYPE *, const char **);
^
make[1]: *** [parse.o] Error 1
make[1]: Leaving directory `/home/rohan/downloads/packages/apparmor/src/apparmor-2.8.1/parser/libapparmor_re'
make: *** [libapparmor_re/libapparmor_re.a] Error 2

As, per Lekensteyn's suggestion I tried downgrading bison to 2.7.1-1, but that too results in the same error.

Lekensteyn commented on 2013-08-10 16:41

I had to install bison 2.7.1-1 as the newer 3.0-1 does not build:
parse.cc: In function ‘int regex_parse(Node**, const char*)’:
parse.cc:1214:30: error: too few arguments to function ‘int regex_lex(YYSTYPE*, const char**)’
yychar = yylex (&yylval);
^
parse.y:39:5: note: declared here
int regex_lex(YYSTYPE *, const char **);
^

seletskiy commented on 2013-07-11 10:54

Sorry, I've accidentally hit "Flag out of date" button. Please, unflag it...

teekay commented on 2013-06-04 08:07

The /bin /sbin /usr/sbin move requires changes to install locations, the load/unload scripts and renaming of all profiles.

The rc file isn't required anymore.

Here is an updated tarball with all changes, including the backup stuff from below: https://kuther.net/~tom/apparmor-2.8.1-2.src.tar.gz

teekay commented on 2013-04-02 11:57

Out of interest, I wanted the do the backup() in my local copy of the PKGBUILD. Obviously pacman doesn't support wildcards in the backup() array.

Looking at "man 5 PKBUILD", package() is run using "bash -e", so I used a BASH built-in to generate the array "dynamically" like this:

package_apparmor-profiles() {
pkgdesc='AppArmor sample pre-made profiles'
arch=('any')

cd "${srcdir}/${pkgbase}-${pkgver}/profiles/apparmor.d"
declare -a _profiles=(`find -type f|sed 's@./@etc/apparmor.d/@'`)

backup=(`echo ${_profiles[@]}`)

cd "${srcdir}/${pkgbase}-${pkgver}/profiles"
make install DESTDIR=${pkgdir}
}

Really nasty, but works..

teekay commented on 2013-03-29 21:46

--with-ruby is broken here since ruby 2.0.0, too.

Also, please backup=() /etc/apparmor.d/* as aa-logprof can't handle apparmor.d/local/ includes it seems, so in my case an update would overwrite my trained dovecot profiles. SuSE and Ubuntu don't overwrite those, too.

Anonymous comment on 2013-03-18 20:33

Can't compile this

...
Making install in ruby
make[2]: Entering directory `/tmp/yaourt-tmp-weltio/aur-apparmor/src/apparmor-2.8.1/libraries/libapparmor/swig/ruby'
make[3]: Entering directory `/tmp/yaourt-tmp-weltio/aur-apparmor/src/apparmor-2.8.1/libraries/libapparmor/swig/ruby'
make -fMakefile.ruby install
make[4]: Entering directory `/tmp/yaourt-tmp-weltio/aur-apparmor/src/apparmor-2.8.1/libraries/libapparmor/swig/ruby'
make[4]: *** No rule to make target `/tmp/yaourt-tmp-weltio/aur-apparmor/pkg/apparmor-libapparmor/usr/include/ruby-2.0.0/ruby.h', needed by `LibAppArmor_wrap.o'. Stop.
make[4]: Leaving directory `/tmp/yaourt-tmp-weltio/aur-apparmor/src/apparmor-2.8.1/libraries/libapparmor/swig/ruby'
make[3]: *** [install-exec-local] Error 2
make[3]: Leaving directory `/tmp/yaourt-tmp-weltio/aur-apparmor/src/apparmor-2.8.1/libraries/libapparmor/swig/ruby'
make[2]: *** [install-am] Error 2
make[2]: Leaving directory `/tmp/yaourt-tmp-weltio/aur-apparmor/src/apparmor-2.8.1/libraries/libapparmor/swig/ruby'
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory `/tmp/yaourt-tmp-weltio/aur-apparmor/src/apparmor-2.8.1/libraries/libapparmor/swig'
make: *** [install-recursive] Error 1
==> ERROR: A failure occurred in package_apparmor-libapparmor().
Aborting...
==> ERROR: Makepkg was unable to build apparmor.

Does anybody know how to fix?

3ED_0 commented on 2013-02-11 12:05

patch to 2.8.1-1: http://ix.io/4mm

grawity commented on 2013-02-06 15:47

Small comment on the PKGBUILD:

It's entirely pointless to call `test -n "$BASH_VERSION"`, since makepkg always uses bash, and the pkgbuild already uses bash-specific features (arrays) before calling that test.

if [[ $pkgver =~ ^[0-9]*\.([0-9]*) ]]; then
bigver=${BASH_REMATCH[1]}
fi

Many pkgbuilds use a simpler method:

pkgver=2.8.0
_pkgver=2.8

graysky commented on 2013-02-05 23:46

What's the status of this project under systemd?

3ED_0 commented on 2012-10-30 09:55

"API is going to change in the future"

That is very good information. This code from novell is that ugly that more can not be (like always)..

Lekensteyn commented on 2012-10-28 10:26

@Harvie what do you mean? My modifications to packaging can be found on: https://github.com/Lekensteyn/aur/tree/master/apparmor
NOTE: those startup scripts from apparmor REQUIRE a patched kernel (which I do run). I am told by apparmor developers that the API is going to change in the future which is the reason why the kernel patches are not merged.

Harvie commented on 2012-10-27 22:27

Lekensteyn: 1up!

Lekensteyn commented on 2012-10-03 21:29

Has anyone already created a systemd unit file for this?

silvik commented on 2012-09-02 22:37

Is this still true: http://c0debreak.blogspot.ro/2012/06/enabling-apparmor-in-arch-linux.html? I hope patching the kernel is not needed anymore...
I only want to restrict the web browser, flash and java with RBAC. Can someone give me some ideas where to start, some up to date guides? Is this doable in arch?

Thanks a lot!

Anonymous comment on 2012-07-16 10:03

WARNING: UNINSTALL AND REINSTALL APPARMOR, OR IT WILL FAIL TO UPGRADE.

- moved things in /lib under /usr/lib, as required by the big /lib move.

big_bum commented on 2012-07-14 09:34

@webstrand, @thestinger told me that "base-devel is an implicit dependency for building package"

webstrand commented on 2012-07-13 19:05

I appear to need the packages bison and flex to successfully build.

Anonymous comment on 2012-07-09 05:32

@david.runge Since building the perl-rpc-xml has foiled even the greatest perl wizards, I suggest that we simply extract a Debian binary package (though Perl is interpreted, not sure what there is to compile).

dvzrv commented on 2012-07-07 10:36

Hmm, perl-rpc-xml is orphaned and un-buildable. Does anyone have the power to fix the PKGBUILD? Otherwise noone will be able to install apparmor anyways

big_bum commented on 2012-06-24 09:47

Done. It builded now.
Thank you!

==> Leaving fakeroot environment.
==> Finished making: apparmor 2.8.0-1 (Sun Jun 24 12:47:20 EEST 2012)

==> Continue installing apparmor ? [Y/n]

Anonymous comment on 2012-06-24 09:21

I believe that is the problem, yes. The Makefile of libapparmor use PREFIX=, and that like the error says is not compatible with INSTALL_BASE. That's an upstream problem really, not a problem with the package itself. Anyway, i pushed in a new PKGBUILD that unset $PERL_MM_OPT before compiling libapparmor and that should allow you (and everyone else that has a custom INSTALL_BASE) to compile.
Could you test it?

big_bum commented on 2012-06-23 14:17

echo $PERL_MM_OPT gives me INSTALL_BASE=/home/cristi/perl5

Is this the problem? I don't know anything about perl. Can you tell me were is the correct path to INSTALL_BASE?

Anonymous comment on 2012-06-23 10:03

I've read of similar problems caused by $PERL_MM_OPT set to "INSTALL_BASE=/something/here" to install perl modules locally.
Could you check that?

big_bum commented on 2012-06-23 08:47

It still doesn't build. I have the same error:

Making all in perl
make[2]: Entering directory `/tmp/yaourt-tmp-cristi/aur-apparmor/src/apparmor-2.8.0/libraries/libapparmor/swig/perl'
/usr/bin/swig -perl -I./../../src -module LibAppArmor -o libapparmor_wrap.c ./../SWIG/libapparmor.i
/usr/bin/perl Makefile.PL PREFIX=/usr MAKEFILE=Makefile.perl
Only one of PREFIX or INSTALL_BASE can be given. Not both.
make[2]: *** [Makefile.perl] Error 2

Any ideas?

EDIT:
I've manually made the Makefile.PL file but not it's giving me this error:

install: target ‘/tmp/yaourt-tmp-cristi/aur-apparmor/pkg/apparmor-libapparmor/usr/lib/perl5/vendor_perl/’ is not a directory: No such file or directory
==> ERROR: A failure occurred in package_apparmor-libapparmor().

big_bum commented on 2012-06-23 08:43

It still doesn't build. I have the same error:

Making all in perl
make[2]: Entering directory `/tmp/yaourt-tmp-cristi/aur-apparmor/src/apparmor-2.8.0/libraries/libapparmor/swig/perl'
/usr/bin/swig -perl -I./../../src -module LibAppArmor -o libapparmor_wrap.c ./../SWIG/libapparmor.i
/usr/bin/perl Makefile.PL PREFIX=/usr MAKEFILE=Makefile.perl
Only one of PREFIX or INSTALL_BASE can be given. Not both.
make[2]: *** [Makefile.perl] Error 2

Any ideas?

Anonymous comment on 2012-06-23 08:15

Updated.
- Added some hacks for new python2 based scripts in utils
- Modified logprof.conf to use syslog-ng default log names, instead of link hack.

big_bum commented on 2012-06-15 09:11

@thestinger

Yes indeed. Somehow it wasn't installed on my system.
Sorry.

But still, I am unable to build:

/usr/bin/perl Makefile.PL PREFIX=/usr MAKEFILE=Makefile.perl
Only one of PREFIX or INSTALL_BASE can be given. Not both.
make[2]: *** [Makefile.perl] Error 2
make[2]: Leaving directory `/tmp/yaourt-tmp-cristi/aur-apparmor/src/apparmor-2.7.2/libraries/libapparmor/swig/perl'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/yaourt-tmp-cristi/aur-apparmor/src/apparmor-2.7.2/libraries/libapparmor/swig'
make: *** [all-recursive] Error 1
==> ERROR: A failure occurred in build().

big_bum commented on 2012-06-15 09:07

@thestinger

Yes indeed. Somehow it wasn't installed on my system.
Sorry.

thestinger commented on 2012-06-14 20:26

@big_bum: base-devel is an implicit dependency for building packages

big_bum commented on 2012-06-14 17:28

Dependencies are broken. It requires

bison and flex

Harvie commented on 2012-06-02 09:51

It would be nice to also have SystemD service ready for this packages as it will replace SysV init in future of ArchLinux...

sverdj commented on 2012-06-02 03:37

There are tiny kernel patches shipped in the tarball that you probably want to apply if you care about this functionality.

Anonymous comment on 2012-06-01 18:00

Was a solution ever found for the problem f45 reported? I'm having the same problem and getting the same messages on the queries below. Also, I ran cat /sys/module/apparmor/parameters/enabled and received a Y reply.

Anonymous comment on 2012-03-23 03:25

Apparmor support should be built into the latest stock Arch kernels (what I'm using).

[23:21:17 /]# mount -t securityfs securityfs /sys/kernel/security
mount: securityfs already mounted or /sys/kernel/security busy
mount: according to mtab, securityfs is already mounted on /sys/kernel/security
[23:21:19 /]# modprobe apparmor
[23:21:22 /]# aa-genprof

AppArmor does not appear to be started. Please enable AppArmor and try again.

[23:21:25 /]# aa-status
apparmor module is loaded.
You do not have enough privilege to read the profile set.

I've set up apparmor by putting "apparmor=1 security=apparmor" in the kernel boot line and putting apparmor in the daemons array. Profiles themselves work fine. Just when trying to use genprof I get the above error.

m4xm4n commented on 2012-03-21 05:36

@f45: Are you using a kernel with AppArmor enabled? If not, you'll need to compile your own.

If you are, check and make sure you have a filesystem of type securityfs mounted at /sys/kernel/security.

Try the following line:

# mount -t securityfs securityfs /sys/kernel/security

Also make sure the apparmor module is loading. Usually this is done automatically if you've specified AppArmor as the default security module to load when you compiled the kernel, or you specified it in the kernel cmdline boot options.

Other wise give this a try:

# modprobe apparmor

Anonymous comment on 2012-03-14 00:45

Having trouble getting genprof working:

[20:39:30 apparmor.d]$ aa-genprof

AppArmor does not appear to be started. Please enable AppArmor and try again.

[20:39:33 apparmor.d]$ apparmor_status
apparmor module is loaded.
You do not have enough privilege to read the profile set.


Same if run as root or regular user.

m4xm4n commented on 2012-02-17 01:22

I do apologize for the lengthy wait.

I applied most of 3ED_0's changes and updated apparmor to 2.7.2.

m4xm4n commented on 2012-02-10 02:27

I'll update the PKGBUILD tomorrow afternoon/evening. Sit tight.

m4xm4n commented on 2012-01-23 23:02

Thanks, I'll look them over this weekend after finals are over.

3ED_0 commented on 2012-01-23 12:47

I make few changes:
- Removed packages that no more possible to build (no source)
- Added packages eg: apparmor-vim
- Cleaned PKGBUILD (more clearly looks and Archlinux way)
- - eg: build() make builds thing and package_*() make install files
- Added info about bootloader kernel line (new apparmor.install)
- New package "apparmor" - is a metapackage for AUR - to simplify checking version or so..


Please consider this changes in a future version..
--------------------------------------------------
PKGBUILD: http://paste.xinu.at/VIp/
apparmor: http://paste.xinu.at/ZsU/
apparmor-utils.install: http://paste.xinu.at/4tE/
apparmor.install: http://paste.xinu.at/CYZ/

kermana commented on 2012-01-19 19:19

Harvie thanks for the tip, worked like a charm. I'm way too lazy for selinux and too paranoid for default DAC :) Apparmor gives the perfect balance. That being said, I am on a fresh install and when I tried aa-status it gave:

bash: /usr/sbin/aa-status: /usr/bin/python: bad interpreter: No such file or directory

I explicitly installed python and it seems to work ok so python package might be needed as a dependency.

Harvie commented on 2012-01-19 18:37

kermana: yeah... it's just trying to build something that is no longer in tarball. problem is that it's trying it only when you have libapparmor already installed, which is why m4xm4n didn't found the bug :-)

you can comment out these lines to make it work:

pacman -Qi apparmor-libapparmor &>/dev/null &&
true && pkgname=(${pkgname[*]} apparmor-profile-editor apparmor-dbus) &&
depends=(${depends[*]} apparmor-libapparmor) &&
msg "Building with libapparmor dependent packages..."

kermana commented on 2012-01-19 15:18

Thnx for the hard work you guys have been putting into this.

Does anyone else have this problem while installing? (on i686)

==> Starting package_apparmor-profile-editor()...
/tmp/yaourt-tmp-kermana/aur-apparmor/./PKGBUILD: line 103: cd: /tmp/yaourt-tmp-kermana/aur-apparmor/src/apparmor-2.7.0/deprecated/management/profile-editor: No such file or directory
==> ERROR: A failure occurred in package_apparmor-profile-editor().
Aborting...
==> ERROR: Makepkg was unable to build apparmor.

m4xm4n commented on 2012-01-19 00:52

Package updated with the new rc.d script by Harvie.

Harvie commented on 2012-01-18 13:07

I've just made profile for makepkg, that will protect you if you are building lot's of untrusted packages from AUR without reading the PKGBUILD carefully:
https://github.com/Harvie/AppArmor-Profiles/blob/master/usr.bin.makepkg

Harvie commented on 2012-01-18 12:06

https://github.com/Harvie/AppArmor-Profiles

Harvie commented on 2012-01-18 11:51

I have tuned few profiles (pidgin, firefox, epiphany, opera, chromium, netsurf and more...), so i will share them later in git repository on github...

Harvie commented on 2012-01-18 06:25

m4xm4n: i've made the rc.d script and it works well! https://raw.github.com/Harvie/ArchLinux-Packages/master/apparmor/apparmor.rc
please include it to /etc/rc.d/apparmor

Here is demo, i've made apparmor profile for /bin/ping that disables net_raw capability:


[root@insomnia ~]# ping google.com -c 1
PING google.com (173.194.70.147) 56(84) bytes of data.
64 bytes from fa-in-f147.1e100.net (173.194.70.147): icmp_req=1 ttl=49 time=38.4 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 38.481/38.481/38.481/0.000 ms

[root@insomnia ~]# rc.d start apparmor
:: Enabling AppArmor profiles [DONE]

[root@insomnia ~]# ping google.com -c 1
ping: icmp open socket: Operation not permitted

[root@insomnia ~]# rc.d stop apparmor
:: Disabling AppArmor profiles [DONE]

[root@insomnia ~]# ping google.com -c 1
PING google.com (173.194.70.104) 56(84) bytes of data.
64 bytes from fa-in-f104.1e100.net (173.194.70.104): icmp_req=1 ttl=49 time=18.8 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 18.849/18.849/18.849/0.000 ms

m4xm4n commented on 2012-01-18 05:56

I'll look into it in about a week and half when all this finals nonsense is over.

Harvie commented on 2012-01-18 05:29

Oh we just need to add rc.d script...

Harvie commented on 2012-01-18 05:26

Awesome! I've got this working... Now i am going to try to boot in enforced mode :-)

m4xm4n commented on 2012-01-18 03:13

I think I fixed it. It's compiling, packaging, and installing fine using yaourt on x86-64 Arch.

Harvie commented on 2012-01-18 02:41

m4xm4n: Awesome, if i will get AppArmor working, i will surely send you some policies for my favourite packages... Anyway... in the past i had problems with matching userspace utils version to latest archlinux kernel which prevented me from doing so... I hope this will get better as AppArmor API will get more stable.

BTW i can't compile this package (on latest i686 arch). says something about missing file/directory in $srcdir... :-(

m4xm4n commented on 2012-01-17 19:20

Harvie: I plan on adding more rules for AppArmor until I'm satisfied that there are sufficient policies for the average desktop user. AppArmor is an integral part of my project to provide a comprehensive security package for Arch, so I will continue to improve on it until I am satisfied.

Harvie commented on 2012-01-17 08:48

m4xm4n: THX for adopting and updating the package :-) I really wish that there will be lot of people willing to submit apparmor rules for their favourite packages and enough will to get this at least into [community] repo... BTW you can enable notifications, so you will receive comments done to packages you own by email...

m4xm4n commented on 2012-01-17 00:04

AppArmor updated to 2.7.0. Enjoy folks.


If anything is broken, shoot me an email (it's in the PKGBUILD).

Anonymous comment on 2012-01-14 15:53

Impossible to install, it shows error.

The part of error is:

/50_client.t (Wstat: 512 Tests: 0 Failed: 0)
Non-zero exit status: 2
Parse errors: No plan found in TAP output
t/51_client_with_host_header.t (Wstat: 512 Tests: 0 Failed: 0)
Non-zero exit status: 2
Parse errors: No plan found in TAP output
t/70_compression_detect.t (Wstat: 512 Tests: 4 Failed: 2)
Failed tests: 1-2
Non-zero exit status: 2
t/90_rt54183_sigpipe.t (Wstat: 512 Tests: 0 Failed: 0)
Non-zero exit status: 2
Parse errors: No plan found in TAP output
Files=25, Tests=648, 1 wallclock secs ( 0.16 usr 0.03 sys + 1.04 cusr 0.12 csys = 1.35 CPU)
Result: FAIL
Failed 7/25 test programs. 4/648 subtests failed.
make: *** [test_dynamic] Error 255
==> ERROR: Se produjo un error en check().
Cancelando...
==> ERROR: Makepkg was unable to build perl-rpc-xml

sverdj commented on 2011-12-18 01:44

AppArmor 2.7 seems to be available on launchpad. Still working nicely with 3.1.5. The compat kernel patches are included in the tarball if you want/need them.

sverdj commented on 2011-11-17 11:01

oneeyed: Better just get rid of the static linkage, seems pretty stupid.
passing AARE_LDFLAGS="$LDFLAGS -lstdc++" AAREOBJECTS="libapparmor_re/libapparmor_re.a" to make during the parser build ought to fix that.

oneeyed commented on 2011-11-08 08:59

apparmor does not support parallel build: MAKEFLAGS="-j5" fails on my 4 cores machine because ranlib has not been run before the static library is used in link.

Could you please either have it fixed upstream or, if you can't, add "options=(!makeflags)" to the PKGBUILD?

Anonymous comment on 2011-09-16 02:41

waseem: perl-rpc-xml is in the AUR. If you are using makepkg, you should install perl-rpc-xml first.

Anonymous comment on 2011-08-28 14:26

pacman can not resolve perl-rpc-xml. Says target not found.

0xfc commented on 2011-08-17 07:56

Added apparmor-pam and rc.d script(not fully functional; more tests needed).
Add the securityfs mounting in /etc/fstab is no longer needed(it will be mounted when you start the apparmor rc.d script), and an existing mount on /sys/kernel/security will prevent apparmor from starting. Please unmount /sys/kernel/security before executing "/etc/rc.d/apparmor start".

0xfc commented on 2011-08-17 03:24

added missing dependency perl-rpc-xml.

Anonymous comment on 2011-08-17 00:20

Spanish: falla al generar apparmor-utils, por no detectar dependencia perl-rpc-xml

0xfc commented on 2011-08-16 13:08

updated version to 2.6.1.

0xfc commented on 2011-08-16 13:05

Harvie commented on 2011-08-13 21:49

Disowned. I hope someone will be able to take care of this and get it to community (along with some tested and debuged presets for popular packages).

sverdj commented on 2011-08-13 15:08

AppArmor works fine here even on kernel 3.0.1, the "old compat patchset" still applies just fine. Make sure you don't install outdated user space though, given that is package is out of date..

Anonymous comment on 2011-07-01 12:32

Was pretty easy to set up, some user space tools are not working properly but the most important indeed do. Applied the compability patchset to 2.6.39 from http://www.kernel.org/pub/linux/security/apparmor/AppArmor-2.6/ and bumped the PKGVER to 2.6.1. Succesfully using it to confine the browser stack in enforce mode (ff + plugins, dbus, gconf) on a seperate user. Set up the profiles by hand using the existing onces as guidance - it's basically just mindless trial and error.

Harvie commented on 2011-05-16 07:32

soo lazy morning ;) any patches? :)

Harvie commented on 2011-03-26 20:59

pejuko: true, that's why it's in depends=() of apparmor-utils...

Anonymous comment on 2011-03-26 11:33

building apparmor-utils (2.6.0) fails without perl-rpc-xml

t-8ch commented on 2011-03-21 10:10

harvie: now it works without rpm, i'm quite sure it got some rpm archive error last time

t-8ch commented on 2011-03-21 09:57

harvie: now it works without rpm, i'm quite sure it got some rpm archive error last time

Harvie commented on 2011-03-20 02:06

t-8ch: i don't have rpm...

t-8ch commented on 2011-03-19 22:32

build fails without rpm

Harvie commented on 2011-03-12 02:47

WOW. I've got this actually working:

I've disabled ping to use raw network access (i've commented few lines in /etc/apparmor.d/bin.ping):
[root@insomnia ~]# apparmor_parser -r /etc/apparmor.d/bin.ping
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from /etc/apparmor.d/bin.ping (/etc/apparmor.d/bin.ping line 28): profile /bin/ping network rules not enforced
[root@insomnia ~]# ping harvie.cz
ping: icmp open socket: Operation not permitted


messages:
Mar 12 03:41:34 insomnia kernel: type=1400 audit(1299897694.671:11): apparmor="STATUS" operation="profile_replace" name="/bin/ping" pid=17131 comm="apparmor_parser"
Mar 12 03:41:38 insomnia kernel: type=1400 audit(1299897698.841:12): apparmor="DENIED" operation="capable" parent=14726 profile="/bin/ping" pid=17142 comm="ping" capability=13 capname="net_raw"


I will update package as soon as possible

Harvie commented on 2011-02-03 22:27

johnthekipper: plz be so kind and prepend all commands with LANG=C or use export LANG=C before pasting error messages. i can translate it using google translate, but if someone in "worldwide linux community" will have same problem as you he will be probably able to google your post only if it's in english. thx.

But well... build failed for me too... i'll take a look at it...

johnthekipper commented on 2011-02-02 20:13

g++ -O2 -pipe -Wall -Wstrict-prototypes -Wsign-compare -Wmissing-field-initializers -Wnested-externs -Wformat-security -Wunused-parameter -D_GNU_SOURCE -DPACKAGE=\"apparmor-parser\" -DLOCALEDIR=\"/usr/share/locale\" -DSUBDOMAIN_CONFDIR=\"/etc/apparmor\" -o apparmor_parser parser_lex.o parser_yacc.o parser_main.o parser_interface.o parser_include.o parser_merge.o parser_symtab.o parser_misc.o parser_regex.o parser_variable.o parser_policy.o parser_alias.o pcre/pcre.o \
libapparmor_re/libapparmor_re.a -static-libgcc -L.
/usr/lib/perl5/core_perl/pod2man apparmor.d.pod --release=NOVELL/SUSE --center=AppArmor --section=5 > apparmor.d.5
/bin/sh: /usr/lib/perl5/core_perl/pod2man: Datei oder Verzeichnis nicht gefunden
make: *** [apparmor.d.5] Fehler 127

Harvie commented on 2010-11-05 01:48

BTW please add your experiences to http://wiki.archlinux.org/index.php/AppArmor
It's more valuable to have docs in wiki than some discussions in forums... THX

Harvie commented on 2010-11-05 01:48

jelly: well not really. we can start "implementing AppArmor on ArchLinux" :-)

At least we need following things before we can say that we have AppArmor on ArchLinux:
- init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX
- chase missing dependencies
- make list of files that should go to backup=() arrays in packages...
- changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)
- out-of-box-experience know-how (make some package with profiles for all [core] packages enabled by default without need for any configuration, etc...)
- test everything
And we can also look at
- apparmor gnome applet (can't build, deprecated...)

jelly commented on 2010-11-04 23:46

nice work, now we just need rc.d script and we can use apparmor!

Harvie commented on 2010-11-04 22:34

There was a question about how i have managed to get split-pkg to AUR. Hackity-hack: http://aur.archlinux.org/packages.php?ID=42514 :-)

graysky commented on 2010-11-04 21:07

How did you get the split package to upload to AUR?

Harvie commented on 2010-11-03 18:57

Added first split-package release. There is still BIG mess in dependencies and i don't even know how to solve makedependencies between sub-packages...

Harvie commented on 2010-10-31 15:51

BTW please add your experiences to http://wiki.archlinux.org/index.php/AppArmor
It's more valuable to have docs in wiki than some discussions in forums... THX

Harvie commented on 2010-10-31 15:51

wonder: thx. i didn't known that. i just supposed that everyone who wants to build something already have those tools installed, but we should rather add them to makedepends. but well if it's in the wiki they will be removed in next PKGBUILD release.

wonder commented on 2010-10-31 13:24

@Harvie don't add makedepends just because some users are unable to read a wiki.

gcc, make, bision, flex or whatever are in base-devel and is the first step in the wiki.

Anonymous comment on 2010-10-31 03:07

Please add bison to dependencies.

Harvie commented on 2010-10-30 13:45

BTW please add your experiences to http://wiki.archlinux.org/index.php/AppArmor
It's more valuable to have docs in wiki than some discussions in forums... THX

Harvie commented on 2010-10-30 13:41

jelly: i've fixed it, but following files will be included in package only if you have apparmor already installed: will fix it later...

34a35,37
> pkg/usr/bin
> pkg/usr/bin/apparmor-dbus
> pkg/usr/bin/profileeditor
305a309,311
> pkg/usr/share/doc
> pkg/usr/share/doc/profileeditor
> pkg/usr/share/doc/profileeditor/AppArmorProfileEditor.htb

Harvie commented on 2010-10-30 13:06

jelly: aalogparse/aalogparse.h
seems to me that it's some kind of recursive dependency: you have to install apparmor package to build apparmor package :-)
this happend as i had old build already installed while building the package :-) i hate that because cool way to fix this are split-packages which are not supported by AUR (i can't even upload them)...

I just think that wiki is more valuable for future users. than forums. (BTW I've been working until 5am :-)

jelly commented on 2010-10-30 12:45

I can't build the package here.
aadbus.c:14:35: fatal error: aalogparse/aalogparse.h: No such file or directory

jelly commented on 2010-10-30 10:47

Hey Harvie, i wasn't really complaining :P , maybe it was because i was busy getting AppArmor to work until 3 am :)

Great effort so far when i can get it working, i will add docs and look into the rc.d script ;)

Anonymous comment on 2010-10-30 08:16

If gathering minds together on the forum to try and get apparmor to work counts as complaining, then I am truly sorry :)

Thanks for your work on the apparmor package and wiki :)

Harvie commented on 2010-10-30 03:02

BTW please add your experiences to http://wiki.archlinux.org/index.php/AppArmor
Instead of chating (and complaining) about AppArmor in forums, we need some documentation... THX

Harvie commented on 2010-10-30 03:02

Someone could try to make rc.d script working flawlessly on ArchLinux, here's draft: http://aur.pastebin.com/beQ4BjGX

Harvie commented on 2010-10-30 01:56

BTW please add your experiences to http://wiki.archlinux.org/index.php/AppArmor
Instead of chating (and complaining) about AppArmor in forums, we need some documentation... THX

Harvie commented on 2010-10-30 01:53

flamelab: it's strange, but try reinstalling ruby on 64b. maybe they forgoten to increase package release number.
i wasn't able to build it on x86_64 with ruby until i reinstalled it with
pacman -S ruby
maybe there's some other package providing ruby (but incorectly)

Harvie commented on 2010-10-30 01:47

flamelab: i'm working on it... in meantime you can try adding swig to makedepends...

Harvie commented on 2010-10-30 01:33

BTW please add your experiences to http://wiki.archlinux.org/index.php/AppArmor
Instead of chating (and complaining) about AppArmor in forums, we need some documentation... THX

Harvie commented on 2010-10-30 01:33

Added lot of features:
apparmor-parser libapparmor apparmor-utils apparmor-profiles
apparmor-notify apparmor-lib apparmor-perl apparmor-python apparmor-ruby apparmor-dbus apparmor-profile-editor

But we still miss following features:
- init (rc.d) scripts!
- changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)
- out-of-box-experience know-how
- Split-package (AUR does not support this...)
- apparmor gnome applet (can't build, deprecated)


==== When compared to Ubuntu ====

we have almost everything that is in following Ubuntu packages:
apparmor apparmor-profiles apparmor-utils apparmor-notify apparmor-docs
libapparmor1 libapparmor-dev libapparmor-perl

We don't have
- /etc/init.d/apparmor
- packages: libapache2-mod-apparmor libpam-apparmor

Harvie commented on 2010-10-30 01:32

BTW please add your experiences to http://wiki.archlinux.org/index.php/AppArmor
Instead of chating (and complaining) about AppArmor in forums, we need some documentation... THX

Harvie commented on 2010-10-30 01:28

Aaargh! Can't delete previous comments :-(
BTW see http://wiki.archlinux.org/index.php/AppArmor

Harvie commented on 2010-10-30 01:21

Added lot of features:
apparmor-parser libapparmor apparmor-utils apparmor-profiles
apparmor-notify apparmor-lib apparmor-perl apparmor-python apparmor-ruby apparmor-dbus apparmor-profile-editor

But we still miss following features:
- init (rc.d) scripts!
- changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)
- out-of-box-experience know-how
- apparmor gnome applet (can't build, deprecated)


==== When compared to Ubuntu ====

we have almost everything that is in following Ubuntu packages:
apparmor apparmor-profiles apparmor-utils apparmor-notify apparmor-docs
libapparmor1 libapparmor-dev libapparmor-perl

We don't have
- /etc/init.d/apparmor
- packages: libapache2-mod-apparmor libpam-apparmor

Harvie commented on 2010-10-30 01:19

Added lot of features:
apparmor-parser libapparmor apparmor-utils apparmor-profiles
apparmor-notify apparmor-lib apparmor-perl apparmor-python apparmor-ruby apparmor-dbus apparmor-profile-editor

But we still miss following features:
- init (rc.d) scripts!
- out-of-box-experience know-how
- apparmor gnome applet (can't build, deprecated)


==== When compared to Ubuntu ====

we have almost everything that is in following Ubuntu packages:
apparmor apparmor-profiles apparmor-utils apparmor-notify apparmor-docs
libapparmor1 libapparmor-dev libapparmor-perl

We don't have
- /etc/init.d/apparmor
- packages: libapache2-mod-apparmor libpam-apparmor

flamelab commented on 2010-10-30 00:40

There are a lot of errors during the package building, it searches for rpm (wtf?) and more. Did anybody else have problems building it (x86_64) ?

Harvie commented on 2010-10-30 00:20

jelly: internal dependencies have been fixed... Well we should put this in split-package, but AUR does not support it right now :(
i'll take a look at the external dependencies...

jelly commented on 2010-10-29 22:51

it looks like LibAppArmor.pm is build from this package, so we need to fix something here

jelly commented on 2010-10-29 22:24

this package also needs:
Can't locate LibAppArmor.pm in @INC (@INC contains: /usr/lib/perl5/site_perl /usr/share/perl5/site_perl /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5/core_perl /usr/share/perl5/core_perl /usr/lib/perl5/site_perl/5.10.1 /usr/share/perl5/site_perl/5.10.1 /usr/lib/perl5/current /usr/lib/perl5/site_perl/current .) at /usr/lib/perl5/vendor_perl/Immunix/SubDomain.pm line 43.

So a package with libapparmor bindings too perl ;)

jelly commented on 2010-10-29 22:19

There are some missing dependencies:

perl-locale-gettext
perl-term-readkey
perl-rpc-xml

jelly commented on 2010-10-29 22:13

https://bbs.archlinux.org/viewtopic.php?pid=846722#p846722

here is a topic about AppArmor ;)

Harvie commented on 2010-10-29 21:13

dyscoria: Patches are welcome. There are sh*tloads of thing to do before AppArmor will be ready to deploy on ArchLinux :-)

Anonymous comment on 2010-10-29 21:03

https://bbs.archlinux.org/viewtopic.php?pid=846692#p846692

Harvie commented on 2010-10-28 15:23

Version 2.5.1-1 have been tested to build on x86_64 and on kernel without apparmor module.

Harvie commented on 2010-10-28 14:56

See https://wiki.archlinux.org/index.php/AppArmor for more informations