[pkg-apparmor] Bug#821881: apparmor-profiles: sshd unable to read blacklists from openssh-blacklist* packages
Vincas Dargis
vindrg at gmail.com
Wed Apr 20 07:18:17 UTC 2016
Package: apparmor-profiles
Version: 2.7.103-4
Severity: normal
Tags: upstream
Dear Maintainer,
In Wheezy I've enabled complain mode for usr.sbin.ssh (from apparmor-profiles
extras directory) and noticed these lines:
Apr 20 08:52:43 vdebian2 kernel: [30870.004961] audit: type=1400
audit(1461131563.110:76): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.RSA-2048" pid=27843
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 20 08:52:43 vdebian2 kernel: [30870.005132] audit: type=1400
audit(1461131563.110:77): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.DSA-1024" pid=27843
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Looks like it would be usefull to add rule to allow reading
/usr/share/ssh/blacklist* files:
$ apt-file search ssh/blacklist
openssh-blacklist: /usr/share/ssh/blacklist.DSA-1024
openssh-blacklist: /usr/share/ssh/blacklist.RSA-2048
openssh-blacklist-extra: /usr/share/ssh/blacklist.DSA-2048
openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-1024
openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-4096
I do not see this rule HEAD: https://alioth.debian.org/scm/loggerhead/collab-
maint/apparmor/view/head:/profiles/apparmor/profiles/extras/usr.sbin.sshd so I
assume it's still relevant for latest releases.
-- System Information:
Debian Release: 7.10
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apparmor-profiles depends on:
ii apparmor 2.7.103-4
apparmor-profiles recommends no packages.
apparmor-profiles suggests no packages.
-- no debconf information
More information about the pkg-apparmor-team
mailing list