[pkg-apparmor] Bug#900329: apparmor: denials for apt-cacher-ng

[intrigeri]

Control: reassign -1 apparmor-profiles-extra
Control: found -1 1.19
Control: tag -1 + moreinfo

Ritesh Raj Sarraf:
> [ 5093.351969] audit: type=1400 audit(1527574882.949:79): apparmor="DENIED"
> operation="open" profile="/usr/sbin/apt-cacher-ng" name="/var/cache/apt/archives/"
> pid=17428 comm="apt-cacher-ng" requested_mask="r" denied_mask="r" fsuid=128 ouid=0
> [ 5207.599652] audit: type=1400 audit(1527574997.198:80): apparmor="DENIED"
> operation="open" profile="/usr/sbin/apt-cacher-ng" name="/var/cache/apt/archives/"
> pid=17428 comm="apt-cacher-ng" requested_mask="r" denied_mask="r" fsuid=128 ouid=0

Thanks for this report!

> I noticed these denial messages in my system logs. The
> apparmor-profiles-extra package includes a profile for `apt-cacher-ng`.

… so reassigning to that package.

> The only additional chagne I have is about cache imports, which stays
> in "_import", which is again a symlink to the apt cache direcotry:

I think this local change of yours (to the apt-cacher-ng
configuration) requires a local change to the AppArmor profile:
there's no way the profile can support out-of-the-box all such local
customization while providing meaningful confinement of the service.

So I suggest you add to /etc/apparmor.d/local/usr.sbin.apt-cacher-ng
the following lines:

  /var/cache/apt/archives/ r,
  /var/cache/apt/archives/** r,

… and then reload the profile:

  sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.apt-cacher-ng

Please let us know if that's enough to fix the problem for you.

Cheers,
-- 
intrigeri