ReleaseNotes 2 9 4

From AppArmor
Jump to: navigation, search

AppArmor 2.9.4 Release Notes

AppArmor 2.9.3 is an incremental bug fix release over AppArmor 2.9.2 that is focused on fixing issues in the userspace code.

It includes the changes in the 2.9 branch between r3005 (AppArmor 2.9.3) and r3043.


  • accept hostname with dots when parsing syslog lp#1453300
  • force libtoolize to replace existing files


  • aa-genprof: ask about profiles in extra dir (again)
  • honor 'chown' file events in
  • fix aa-logprof "add hat" endless looping lp#1538306
  • ignore exec events for non-existing profiles lp#1379874
  • ignore file events with a request mask of 'send' or 'receive' (which are actually network events) lp#1577051 lp#1582374
  • handle ldd $? == 1 in get_reqs() (instead of crashing)
  • aa-unconfined: fix netstat usage to include IPv6



  • update php abstraction for PHP7, and rename it (abstractions/php5 -> abstractions/php, abstractions/php5 still available as compability wrapper)
  • abstractions/dbus-session-strict: allow access to the user bus socket
  • abstractions/gnome: add versioned gtk paths References: deb#845005
  • abstractions/X: allow reading /tmp/.X11-unix/* lp#1589823
  • abstractions/X: yet another location for Xauthority (/{,var/}run/user/*/X11/Xauthority) deb#845250

Samba profiles:

  • abstractions/samba: Allow /var/cache/samba/lck/*
  • allow mr for /usr/lib*/ldb/*.so in samba abstractions boo#990006
  • winbindd: allow dac_override (needed to delete kerberos ccache files) boo#990006#c5
  • add several /var/cache/samba/ permissions to nmbd profile and abstractions/samba

Dovecot profiles:

  • dovecot: allow capability sys_resource
  • dovecot/auth: allow to read /run/dovecot/stats-user deb#835826
  • dovecot/auth: allow access to /run/dovecot/anvil-auth-penalty and /var/spool/postfix/private/auth lp#1652131
  • dovecot/config: allow to read /usr/share/dovecot/** deb#835826
  • dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and /usr/share/dovecot/** deb#835826
  • dovecot/lmtp: allow reading ~/.dovecot.svbin deb#835826
  • dovecot/log: add attach_disconnected flag lp#1652131

other profile changes:

  • allow inet6 in ping profile boo#980596
  • traceroute: allow both paths (to match the alternation in the profile name)
  • syslog-ng profile: allow writing *.qf files
  • update mlmmj profiles boo#1000201
  • ntpd: allow "network unspec dgram," lp#1546455 boo#1009964
  • nscd profile: allow reading libvirt/dnsmasq/*.status boo#1014463


  • apparmor.d.pod: Document empty quotes ("") as empty value of a variable
  • add a note about still enforcing deny rules to aa-complain manpage deb#826218#37