[pkg-apparmor] Bug#802791: apparmor-profiles-extra: AppArmor profile prevents pidgin from starting

intrigeri intrigeri at debian.org
Thu Nov 19 10:57:43 UTC 2015 

Control: clone -1 -2
Control: retitle -2 AppArmor profile prevents pidgin from starting when using pidgin-sipe
Control: reopen -2
Control: notfixed -2 apparmor-profiles-extra/1.6
Control: notfixed -2 1.6
Control: tag -2 + moreinfo
Control: tag -2 - patch
Control: tag -2 - confirmed

Hi Guido,

Guido Günther wrote (31 Oct 2015 13:59:50 GMT) :
> if using pidgin-sipe the above is not sufficient since we have these
> denials:

I'm sorry we've not replied to this so far. I'm forking the original
bug (that's now been closed) that applied to all Pidgin use cases,
into a new one dedicated to the problem you're experiencing.

>  audit: type=1400 audit(1446299435.901:78): apparmor="DENIED" operation="open"
> profile="/usr/bin/pidgin" name="/dev/tty" pid=5958 comm="pidgin" requested_mask="rw"
> denied_mask="rw" fsuid=1000 ouid=0
>  audit: type=1400 audit(1446299435.901:79): apparmor="DENIED" operation="open"
> profile="/usr/bin/pidgin" name="/dev/pts/3" pid=5958 comm="pidgin"
> requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=1000

These ones are often not blockers, I've seen cases when we can simply
add "deny" rules for them. So let's first:

>  audit: type=1400 audit(1446299435.905:80): apparmor="DENIED" operation="open"
> profile="/usr/bin/pidgin" name="/etc/default/pidgin-sipe" pid=5958 comm="pidgin"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Please try adding this to /etc/apparmor.d/local/usr.bin.pidgin :

  /etc/default/pidgin* r,

and then "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.pidgin"
and retry.

If Pidgin still fails to start, add

  #include <abstractions/consoles>

etc.

>  audit: type=1400 audit(1446299435.905:81): apparmor="DENIED" operation="exec"
> profile="/usr/bin/pidgin" name="/usr/bin/pidgin.orig" pid=5962 comm="pidgin"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
>  audit: type=1400 audit(1446299435.905:82): apparmor="DENIED" operation="open"

This doesn't make much sense to me. If this pidgin.orig is a local
thing, can you reproduce without it?

Cheers,
--
intrigeri

More information about the pkg-apparmor-team mailing list