[pkg-apparmor] Bug#882597: libreoffice: Failed to start when apparmor is running because of user rights
intrigeri
intrigeri at debian.org
Tue Nov 28 10:19:05 UTC 2017
Hi,
(context for pkg-apparmor folks: the last upload of libreoffice to
sid disabled the AppArmor profile by default due to #882597)
Rene Engelhard:
> On Fri, Nov 24, 2017 at 02:33:20PM +0100, Michael Ott wrote:
>> start libreoffice with
>> soffice -env:UserInstallation=file:///srv/home/michael/tmp/
>> does not work. Home folder is srv/home/michael
> Sigh. Feared something like this.
> So you try to access stuff outside the LO profile?
My understanding is that Michael tries to access stuff inside his user
LO profile path, *but* that profile is stored in a custom location
which is not supported by the AppArmor profile. When such issues
arise, the general thought process in distros that use AppArmor is:
Is it common to use such a custom location?
→ In this case, I don't know. I assume Rene will know better :)
How technical are the users likely to do such customization?
→ It seems to me that such customization requires reading
the --help output and then typing special commands in a terminal,
which counts as "rather technical".
Then, depending on the answer to the two above questions, either
have the AppArmor policy allow such customization by default (if
possible while keeping the confinement meaningful), or disable the
AppArmor profile by default, or keep the AppArmor profile enforced
by default and assume the people suffering from its limitations will
be able to workaround it (either by disabling the AppArmor profile
or by adjusting it locally).
→ In this case, I would argue that we're talking about a corner
case, that only rather advanced users will hit, and I find it sad
that everyone else can't benefit from AppArmor security benefits
due to that, so I'm leaning towards:
1. keep the AppArmor profile enforced by default, so the vast
majority of users benefit from it;
2. ensure the AppArmor profile supports customization and
affected users can learn how to tweak it; in this case,
I think adding in README.Debian "add your custom
env:UserInstallation to @{libo_user_dirs}" would be sufficient.
What do you think? If you agree with my reasoning, then I could
provide a patch to implement the proposed change in README.Debian.
>> 3. Switch of apprmor with service apparmor teardown
Michael, you don't have to entirely disable AppArmor on your system :)
You can disable a specific AppArmor profile with the aa-disable command.
> Unfortunately there seems no way to install a profile but keep it
> "unconfined), only to just disable it..
Actually there is.
If the AppArmor profile is shipped in the upstream tarball, at package
built time, you can either use aa-complain or manually patch the
profile, for example:
https://anonscm.debian.org/cgit/collab-maint/apparmor-profiles-extra.git/tree/debian/rules#n20
Otherwise, if the AppArmor profile lives in the debian/ directory,
you can directly edit it so it looks like this:
/usr/bin/irssi flags=(complain) {
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list