[pkg-apparmor] Bug#989193: breaks apt-cacher-ng by blocking link operation
Eduard Bloch
edi at gmx.de
Fri May 28 06:26:17 BST 2021
Package: apparmor-profiles-extra
Version: 1.33
Severity: serious
Tags: patch
Hi,
see attachment, your config which doesn't allow link calls, which
sporadically breaks operation of apt-cacher-ng in unexpected ways.
The suggested change should probably be improved, I am no apparmor
expert.
[ 1451.927739] audit: type=1400 audit(1622048089.493:85): apparmor="ALLOWED" operation="link" profile="apt-cacher-ng" name="/var/cache/apt-cacher-ng/debrep/dists/unstable/InRelease.1622048089" pid=36785 comm="apt-cacher-ng" requested_mask="l" denied_mask="l" fsuid=121 ouid=121 target="/var/cache/apt-cacher-ng/debrep/dists/unstable/InRelease"
Eduard.
-- System Information:
Debian Release: 11.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.12.0+ (SMP w/12 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor-profiles-extra depends on:
ii apparmor 2.13.6-10
apparmor-profiles-extra recommends no packages.
apparmor-profiles-extra suggests no packages.
-- Configuration Files:
/etc/apparmor.d/usr.sbin.apt-cacher-ng changed:
@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/user-tmp>
/etc/apt-cacher-ng/ r,
/etc/apt-cacher-ng/** r,
/etc/hosts.{deny,allow} r,
/usr/sbin/apt-cacher-ng mr,
/var/lib/apt-cacher-ng/** r,
/{,var/}run/apt-cacher-ng/* rw,
@{APT_CACHER_NG_CACHE_DIR}/ r,
@{APT_CACHER_NG_CACHE_DIR}/** rwl,
/var/log/apt-cacher-ng/ r,
/var/log/apt-cacher-ng/* rw,
/{,var/}run/systemd/notify w,
/{usr/,}bin/dash ixr,
/{usr/,}bin/ed ixr,
/{usr/,}bin/red ixr,
/{usr/,}bin/sed ixr,
/usr/lib/apt-cacher-ng/acngtool ixr,
# Allow serving local documentation
/etc/mime.types r,
/usr/share/doc/apt-cacher-ng/html/** r,
# used by libevent
@{PROC}/sys/kernel/random/uuid r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.apt-cacher-ng>
}
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Stop-breaking-latest-apt-cacher-ng-by-blocking-link-.patch
Type: text/x-diff
Size: 858 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20210528/606a80b8/attachment.patch>
More information about the pkg-apparmor-team
mailing list