[Pkg-kde-extras] Bug#946931: Bug#946931: Bug#946931: quassel-core: apparmor denials

Felix Geyer fgeyer at debian.org
Sat Jan 11 14:59:53 GMT 2020 

On 11.01.20 02:58, Scott Kitterman wrote:
> I gave this a try and I still get apparmor denials:
> 
> Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400
> audit(1578707653.245:28): apparmor="DENIED" operation="open" profile="/usr/bin/
> quasselcore" name="/proc/sys/kernel/random/boot_id" pid=1588
> comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0
> 
> Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400
> audit(1578707653.245:29): apparmor="DENIED" operation="open" profile="/usr/bin/
> quasselcore" name="/var/lib/dbus/machine-id" pid=1588 comm="quasselcore"
> requested_mask="r" denied_mask="r" fsuid=116 ouid=0
> 
> Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400
> audit(1578707653.257:30): apparmor="DENIED" operation="link" profile="/usr/bin/
> quasselcore" name="/var/lib/quassel/quasselcore.conf" pid=1588
> comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116
> target="/var/lib/quassel/#523668"
> 
> Suggestions?

Are you sure you have reloaded the AppArmor profile (apparmor_parser -r
/etc/apparmor.d/usr.bin.quasselcore)?
Maybe restart quasselcore if that still does not work.

I can't see how these denials can happen with the updated profile.

On 11.01.20 14:49, Thomas Schneider wrote:
 > I agree on the change '/var/lib/quassel/** rwkl' (although AA convention
 > seems to be 'rwkl', but that’s just cosmetic), but I would suggest
 > adding '#include <abstractions/dbus-session-strict>' instead of
 > specifying the IDs manually.

quasselcore doesn't use dbus. Qt just happens to read the the dbus machine-id
file. The intent for the dbus-session-strict abstraction is "allow access to
the dbus session bus" so that's not appropriate for quasselcore.

 > Said 'abstractions/dbus-session-strict' does not allow access to
 > '@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages
 > about that after including the abstraction.  I haven’t looked any
 > further into it, but maybe it isn’t needed?

These files are only read when quasselcore updates its config which likely
doesn't happen very often.

Cheers,
Felix

More information about the pkg-kde-extras mailing list