[pkg-apparmor] Bug#857732: Bug#857732: apparmor-profiles: symlink to .icedove profile ?
Seth Arnold
seth.arnold at canonical.com
Tue Mar 14 19:13:04 UTC 2017
On Tue, Mar 14, 2017 at 11:33:51PM +1100, Fulano Diego Perez wrote:
> are symlinks a problem ?
> i tried adding /local additions unsuccessfully
>
> lrwxrwxrwx 1 user user 73 Mar 5 14:32 .icedove -> /media/.../icedove
>
> AVC apparmor="DENIED" operation="open" profile="icedove"
> name="/media/user/.../.icedove/profiles.ini" pid=2742 comm="icedove"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Yes, the kernel resolves symlinks before querying security modules for
permission. There's two potential solutions here:
- Modifying an /etc/apparmor.d/local/ file that is #included in the main
profile to add the new file paths
- Using /etc/apparmor.d/tunables/alias to create an alias. (This should
not be undertaken lightly; too-extensive use of alias rules can create
situations that are difficult to debug. If this is really just for
icedove's ~/.icedove directory, it's probably fine.)
> AVC apparmor="DENIED" operation="open" profile="icedove"
> name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=2745
> comm="icedove" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
Interesting; what video card do you have?
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20170314/b686c542/attachment.sig>
More information about the pkg-apparmor-team
mailing list