[pkg-apparmor] Bug#867692: apparmor-profiles-extra: Totem can't open any video

Elia Argentieri deb at elinvention.ovh
Sat Jul 8 12:29:42 UTC 2017 

Package: apparmor-profiles-extra
Version: 1.12
Severity: important

This is what I get with `sudo tail /var/log/audit/audit.log -f | grep DENIED`
when I open any video:

type=AVC msg=audit(1499516756.417:5744): apparmor="DENIED" operation="open"
profile="/usr/bin/totem" name="/home/elia/.cache/mesa/index" pid=4881
comm="totem" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
type=AVC msg=audit(1499516756.529:5745): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/index.theme" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.529:5746): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.529:5747): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.533:5748): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.533:5749): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.533:5750): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.533:5751): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.533:5752): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.537:5753): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.537:5754): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.537:5755): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache" pid=4881
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1499516756.677:5756): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name=2F646174692F566964656F2F54686520496D69746174696F6E2047616D652E6D6B76
pid=4881 comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1499516756.677:5757): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name=2F646174692F566964656F2F54686520496D69746174696F6E2047616D652E6D6B76
pid=4881 comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1499516756.677:5758): apparmor="DENIED" operation="open"
profile="/usr/bin/totem"
name=2F646174692F566964656F2F54686520496D69746174696F6E2047616D652E6D6B76
pid=4881 comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000


It seems to block mesa cache too. Maybe that should be added to an abstraction.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (800, 'testing'), (600, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor-profiles-extra depends on:
ii  apparmor  2.11.0-6

apparmor-profiles-extra recommends no packages.

apparmor-profiles-extra suggests no packages.

-- no debconf information

More information about the pkg-apparmor-team mailing list