[Pkg-kde-extras] Bug#946931: Bug#946931: Bug#946931: quassel-core: apparmor denials
Scott Kitterman
debian at kitterman.com
Sat Jan 11 19:45:32 GMT 2020
On Saturday, January 11, 2020 9:59:53 AM EST Felix Geyer wrote:
> On 11.01.20 02:58, Scott Kitterman wrote:
> > I gave this a try and I still get apparmor denials:
> >
> > Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400
> > audit(1578707653.245:28): apparmor="DENIED" operation="open"
> > profile="/usr/bin/ quasselcore" name="/proc/sys/kernel/random/boot_id"
> > pid=1588
> > comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0
> >
> > Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400
> > audit(1578707653.245:29): apparmor="DENIED" operation="open"
> > profile="/usr/bin/ quasselcore" name="/var/lib/dbus/machine-id" pid=1588
> > comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0
> >
> > Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400
> > audit(1578707653.257:30): apparmor="DENIED" operation="link"
> > profile="/usr/bin/ quasselcore" name="/var/lib/quassel/quasselcore.conf"
> > pid=1588
> > comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116
> > target="/var/lib/quassel/#523668"
> >
> > Suggestions?
>
> Are you sure you have reloaded the AppArmor profile (apparmor_parser -r
> /etc/apparmor.d/usr.bin.quasselcore)?
> Maybe restart quasselcore if that still does not work.
>
> I can't see how these denials can happen with the updated profile.
That did it. I'd neglected to tell apparmor to load the updated profile.
> On 11.01.20 14:49, Thomas Schneider wrote:
> > I agree on the change '/var/lib/quassel/** rwkl' (although AA convention
> > seems to be 'rwkl', but that’s just cosmetic), but I would suggest
> > adding '#include <abstractions/dbus-session-strict>' instead of
> > specifying the IDs manually.
>
> quasselcore doesn't use dbus. Qt just happens to read the the dbus
> machine-id file. The intent for the dbus-session-strict abstraction is
> "allow access to the dbus session bus" so that's not appropriate for
> quasselcore.
>
> > Said 'abstractions/dbus-session-strict' does not allow access to
> > '@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages
> > about that after including the abstraction. I haven’t looked any
> > further into it, but maybe it isn’t needed?
>
> These files are only read when quasselcore updates its config which likely
> doesn't happen very often.
>
> Cheers,
> Felix
Thanks. Now that I've successfully tested it, I'll upload.
Scott K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-kde-extras/attachments/20200111/0cf45cd3/attachment.sig>
More information about the pkg-kde-extras
mailing list