[pkg-apparmor] Bug#989193: breaks apt-cacher-ng by blocking link operation

Eduard Bloch edi at gmx.de
Fri May 28 06:26:17 BST 2021 

Package: apparmor-profiles-extra
Version: 1.33
Severity: serious
Tags: patch

Hi,

see attachment, your config which doesn't allow link calls, which
sporadically breaks operation of apt-cacher-ng in unexpected ways.

The suggested change should probably be improved, I am no apparmor
expert.


[ 1451.927739] audit: type=1400 audit(1622048089.493:85): apparmor="ALLOWED" operation="link" profile="apt-cacher-ng" name="/var/cache/apt-cacher-ng/debrep/dists/unstable/InRelease.1622048089" pid=36785 comm="apt-cacher-ng" requested_mask="l" denied_mask="l" fsuid=121 ouid=121 target="/var/cache/apt-cacher-ng/debrep/dists/unstable/InRelease"


Eduard.

-- System Information:
Debian Release: 11.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.12.0+ (SMP w/12 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor-profiles-extra depends on:
ii  apparmor  2.13.6-10

apparmor-profiles-extra recommends no packages.

apparmor-profiles-extra suggests no packages.

-- Configuration Files:
/etc/apparmor.d/usr.sbin.apt-cacher-ng changed:
@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/user-tmp>
  /etc/apt-cacher-ng/ r,
  /etc/apt-cacher-ng/** r,
  /etc/hosts.{deny,allow} r,
  /usr/sbin/apt-cacher-ng mr,
  /var/lib/apt-cacher-ng/** r,
  /{,var/}run/apt-cacher-ng/* rw,
  @{APT_CACHER_NG_CACHE_DIR}/ r,
  @{APT_CACHER_NG_CACHE_DIR}/** rwl,
  /var/log/apt-cacher-ng/ r,
  /var/log/apt-cacher-ng/* rw,
  /{,var/}run/systemd/notify w,
  /{usr/,}bin/dash ixr,
  /{usr/,}bin/ed ixr,
  /{usr/,}bin/red ixr,
  /{usr/,}bin/sed ixr,
  /usr/lib/apt-cacher-ng/acngtool ixr,
  # Allow serving local documentation
  /etc/mime.types r,
  /usr/share/doc/apt-cacher-ng/html/** r,
  # used by libevent
  @{PROC}/sys/kernel/random/uuid r,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.apt-cacher-ng>
}


-- no debconf information

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Stop-breaking-latest-apt-cacher-ng-by-blocking-link-.patch
Type: text/x-diff
Size: 858 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20210528/606a80b8/attachment.patch>

More information about the pkg-apparmor-team mailing list