Open panlinux opened 1 month ago
Seeing this in PopOS I think because they changed the source of the symlink:
❯ ll /etc/os-release
lrwxrwxrwx 1 root root 17 Jul 27 2023 /etc/os-release -> pop-os/os-release
@robotparty I'm not sure what's the support status of Pro on PopOS, but I suppose you can work around this issue by creating/editing /etc/apparmor.d/local/ubuntu_pro_esm_cache with:
/etc/pop-os/os-release r,
and then reloading the profile:
sudo apparmor_parser -r -W -T /etc/apparmor.d/ubuntu_pro_esm_cache
In that way, you won't be changing the profile shipped with the package, and won't get dpkg conf prompts when upstream changes it again.
Does that work?
@panlinux adding /etc/pop-os/os-release r,
to /etc/apparmor.d/local/ubuntu_pro_esm_cache
did work for me on PopOS 22.04. It required a system reboot, but it worked. Thanks!
Hopefully, it resolves @robotparty issue.
Description of the bug
On systems where
/etc/os-release
is an actual file instead of a symlink to/usr/lib/os-release
, the apparmor profileubuntu_pro_esm_cache
will block access to it. The existing profile only allows access to/usr/lib/os-release
(via globbing rules written in other profiles that are being included).Since the target of the symlink is what matters, if
/etc/os-release
is a symlink to/usr/lib/os-release
(normal/common in ubuntu systems), the existing rules allow that access. But if/etc/os-release
is an actual file, there is no rule allowing inubuntu_pro_esm_cache
it to be read, and the esm-cache.service fails to start.The esm-service.cache status will show this error:
And here is the corresponding apparmor log:
Expected behavior
It's not clear under which circumstances
/etc/os-release
might be a file instead of a symlink, but nevertheless reading it should be allowed by the apparmor profile.Current behavior
The esm-cache service fails to read
/etc/os-release
, and fails to run/start.To Reproduce
And:
System information:
Additional context Launchpad bug: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2065573