[pkg-apparmor] Bug#802791: apparmor-profiles-extra: AppArmor profile prevents pidgin from starting

Guido Günther agx at sigxcpu.org
Thu Nov 19 13:29:13 UTC 2015 

Hi,
On Thu, Nov 19, 2015 at 11:57:43AM +0100, intrigeri wrote:
> Control: clone -1 -2
> Control: retitle -2 AppArmor profile prevents pidgin from starting when using pidgin-sipe
> Control: reopen -2
> Control: notfixed -2 apparmor-profiles-extra/1.6
> Control: notfixed -2 1.6
> Control: tag -2 + moreinfo
> Control: tag -2 - patch
> Control: tag -2 - confirmed
> 
> Hi Guido,
> 
> Guido Günther wrote (31 Oct 2015 13:59:50 GMT) :
> > if using pidgin-sipe the above is not sufficient since we have these
> > denials:
> 
> I'm sorry we've not replied to this so far. I'm forking the original
> bug (that's now been closed) that applied to all Pidgin use cases,
> into a new one dedicated to the problem you're experiencing.
> 
> >  audit: type=1400 audit(1446299435.901:78): apparmor="DENIED" operation="open"
> > profile="/usr/bin/pidgin" name="/dev/tty" pid=5958 comm="pidgin" requested_mask="rw"
> > denied_mask="rw" fsuid=1000 ouid=0
> >  audit: type=1400 audit(1446299435.901:79): apparmor="DENIED" operation="open"
> > profile="/usr/bin/pidgin" name="/dev/pts/3" pid=5958 comm="pidgin"
> > requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=1000
> 
> These ones are often not blockers, I've seen cases when we can simply
> add "deny" rules for them. So let's first:
> 
> >  audit: type=1400 audit(1446299435.905:80): apparmor="DENIED" operation="open"
> > profile="/usr/bin/pidgin" name="/etc/default/pidgin-sipe" pid=5958 comm="pidgin"
> > requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> 
> Please try adding this to /etc/apparmor.d/local/usr.bin.pidgin :
> 
>   /etc/default/pidgin* r,
> 
> and then "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.pidgin"
> and retry.
> 
> If Pidgin still fails to start, add
> 
>   #include <abstractions/consoles>
> 
> etc.
> 
> >  audit: type=1400 audit(1446299435.905:81): apparmor="DENIED" operation="exec"
> > profile="/usr/bin/pidgin" name="/usr/bin/pidgin.orig" pid=5962 comm="pidgin"
> > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> >  audit: type=1400 audit(1446299435.905:82): apparmor="DENIED" operation="open"
> 
> This doesn't make much sense to me. If this pidgin.orig is a local
> thing, can you reproduce without it?

No local things:

$ dpkg -S  /usr/bin/pidgin.orig 
diversion by pidgin-sipe from: /usr/bin/pidgin
diversion by pidgin-sipe to: /usr/bin/pidgin.orig

It's a shell wrapper:

----
#!/bin/bash

CONF=/etc/default/pidgin-sipe

if [[ -r $CONF ]]
then
        . $CONF 
fi

/usr/bin/pidgin.orig $*
----                        

I will check the rest of your suggestions soonish.

Cheers,
 -- Guido

More information about the pkg-apparmor-team mailing list