[pkg-apparmor] Bug#821881: apparmor-profiles: sshd unable to read blacklists from openssh-blacklist* packages

[Vincas Dargis]

Package: apparmor-profiles
Version: 2.7.103-4
Severity: normal
Tags: upstream

Dear Maintainer,

In Wheezy I've enabled complain mode for usr.sbin.ssh (from apparmor-profiles
extras directory) and noticed these lines:

Apr 20 08:52:43 vdebian2 kernel: [30870.004961] audit: type=1400
audit(1461131563.110:76): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.RSA-2048" pid=27843
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Apr 20 08:52:43 vdebian2 kernel: [30870.005132] audit: type=1400
audit(1461131563.110:77): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.DSA-1024" pid=27843
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Looks like it would be usefull to add rule to allow reading
/usr/share/ssh/blacklist* files:

$ apt-file search ssh/blacklist
openssh-blacklist: /usr/share/ssh/blacklist.DSA-1024
openssh-blacklist: /usr/share/ssh/blacklist.RSA-2048
openssh-blacklist-extra: /usr/share/ssh/blacklist.DSA-2048
openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-1024
openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-4096

I do not see this rule HEAD: https://alioth.debian.org/scm/loggerhead/collab-
maint/apparmor/view/head:/profiles/apparmor/profiles/extras/usr.sbin.sshd so I
assume it's still relevant for latest releases.



-- System Information:
Debian Release: 7.10
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apparmor-profiles depends on:
ii  apparmor  2.7.103-4

apparmor-profiles recommends no packages.

apparmor-profiles suggests no packages.

-- no debconf information