[pkg-apparmor] Bug#972634: Bug#972634: apparmor- profile can not define message queue name or directory

Christian Boltz apparmor-debian at cboltz.de
Wed Oct 21 17:43:47 BST 2020 

Hello,

Am Mittwoch, 21. Oktober 2020, 16:46:12 CEST schrieb Bossler Daniela:
> We want to open a posix message queue in a user defined function under
> mysqld. Mysqld has a apparmor-profile without any queue access rigths
> (/dev/mqueue). We added /dev/mqueue/** rw  to the profile but mysqld
> can not open any queue with mq_open(). Next we tried to add the queue
> name to the profil (/sp-example-server w,), but the problem/bug? is
> that the profile entries must begin with a "/" and the queue names
> are passed by mq_open to apparmor without the slash. So it's not
> possible to allow access to the posix-queue.
> 
> Is there a workaround?

My crystal ball says that you get a log entry like this:
(irrelevant and unguessable ;-) parts replaced with "...")

type=AVC msg=audit(...): apparmor="DENIED" operation="..." 
info="Failed name lookup - disconnected path" error=-13 profile="..." 
name="sp-example-server" pid=... comm="..." requested_mask="w" 
denied_mask="w" fsuid=... ouid=...

If my guess is right and the message really reports "disconnected path", 
then you'll need to add the   attach_disconnected   flag to the profile, 
something like:

    profile mysql /usr/bin/mysqld flags=(attach_disconnected {


If my guess was wrong, please provide the audit.log messages you see - 
they would help to clean the nebulous areas on my crystal ball ;-)


Regards,

Christian Boltz

PS: non-random signature ;-)
-- 
you could be correct in that bugzilla may not be useful in predicting
either when the bug will be resolved, or the weather next month.
so, maybe subscribe to [opensuse-crystal_ball] is the best bet.
[DenverD in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20201021/87c77a13/attachment-0001.sig>

More information about the pkg-apparmor-team mailing list