ReleaseNotes 2 10 2

From AppArmor
Jump to: navigation, search

AppArmor 2.10.1 Release Notes

AppArmor 2.10.2 is an incremental bug fix release over AppArmor 2.10.1 that is focused on fixing issues in the userspace code.

This release includes the 2.10 branch changes between r3326 (= 2.10.1) and r3378.


  • accept hostname with dots when parsing syslog lp#1453300
  • force libtoolize to replace existing files
  • python bindings: use to import from (fixes import failure with swig > 3.0.8) boo#987607


  • aa-genprof: ask about profiles in extra dir (again)
  • improve file vs. network event recognition lp#1466812 lp#1509030 lp#1540562 lp#1577051 lp#1582374 lp#1613061
  • load variables in ask_the_questions()
  • honor 'chown' file events in
  • delete_duplicates(): make sure all superfluous rules get deleted
  • fix aa-logprof "add hat" endless looping lp#1538306
  • ignore exec events for non-existing profiles lp#1379874
  • handle ldd $? == 1 in get_reqs() (instead of crashing)
  • aa-unconfined: fix netstat usage to include IPv6



  • add abstractions/wayland and include it in abstractions/gnome deb#827335 lp#1507469
  • update php abstraction for PHP7, and rename it (abstractions/php5 -> abstractions/php, abstractions/php5 still available as compability wrapper)
  • abstractions/base: add
  • abstractions/dbus-session-strict: allow access to the user bus socket
  • abstractions/gnome: add versioned gtk paths References: deb#845005
  • abstractions/nameservice: also support ConnMan-managed resolv.conf
  • abstractions/X: allow reading /tmp/.X11-unix/* lp#1589823
  • abstractions/X: yet another location for Xauthority (/{,var/}run/user/*/X11/Xauthority) deb#845250

Samba profiles:

  • abstractions/samba: Allow /var/cache/samba/lck/*
  • allow mr for /usr/lib*/ldb/*.so in samba abstractions boo#990006
  • winbindd: allow dac_override (needed to delete kerberos ccache files) boo#990006#c5
  • add several /var/cache/samba/ permissions to nmbd profile and abstractions/samba

Dovecot profiles:

  • dovecot: allow capability sys_resource
  • dovecot/auth: allow to read /run/dovecot/stats-user deb#835826
  • dovecot/auth: allow access to /run/dovecot/anvil-auth-penalty and /var/spool/postfix/private/auth lp#1652131
  • dovecot/config: allow to read /usr/share/dovecot/** deb#835826
  • dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and /usr/share/dovecot/** deb#835826
  • dovecot/lmtp: allow reading ~/.dovecot.svbin deb#835826
  • dovecot/log: add attach_disconnected flag lp#1652131

other profile changes:

  • allow inet6 in ping profile boo#980596
  • traceroute: allow both paths (to match the alternation in the profile name)
  • syslog-ng profile: allow writing *.qf files
  • update mlmmj profiles boo#1000201
  • ntpd: allow "network unspec dgram," lp#1546455 boo#1009964
  • nscd profile: allow reading libvirt/dnsmasq/*.status boo#1014463


  • apparmor.d.pod: Document empty quotes ("") as empty value of a variable
  • add a note about still enforcing deny rules to aa-complain manpage deb#826218#37
  • fix 'alias' rule description in apparmor.d manpage