[pkg-apparmor] Bug#1030153: complaining

Christian Boltz apparmor-debian at cboltz.de
Mon Feb 6 13:20:32 GMT 2023 

Hello,

Am Mittwoch, 1. Februar 2023, 16:00:06 CET schrieb Antoine Beaupré:
> On 2023-01-31 23:57:04, Christian Boltz wrote:
> > I'm somewhat surprised about that because the upstream profile for
> > sshd has the following rule since Dec 3 2016 :
> >   /{usr/,}bin/bash     Uxr,
[...]
> > Now I wonder - does your sshd profile lack this line/rule?
> > (If in doubt, please attach the complete profile.)
[...]
> I *think* those are some "extra" profiles I might have manually
> deployed at some point.

Possibly. That must have been years ago ;-)

> Now that I dig in the apparmor-profiles, I found a
> /usr/share/apparmor/extra-profiles/ directory and there *is* a
> usr.sbin.sshd profile in there. So I'm not sure what happened here,
> maybe I deployed those by hand but they never got updated?

Sounds like a valid explanation. The extra profiles never get copied to 
/etc/apparmor.d/ automatically *), which also means they don't get 
updated automatically.

*) only exception: aa-genprof offers to use them as starting point when 
   creating a _new_ profile

> I also am a little confused by apparmor-profiles shipping an
> "extra-profiles" directory *and* having at the same time an
> apparmor-profiles-extra that only ships a handful of profiles... It's
> all very confusing...

That's something one of the Debian packagers needs to answer. 
(I use another distribution, see my signature ;-)

> Here's that old profile that was causing problems:
[...]
> /usr/sbin/sshd flags=(complain) {
[...]
>   /bin/bash rUx,

That explains it - it doesn't allow /usr/bin/bash to be executed.

I'd recommend to copy over the latest sshd profile from extra-profiles to 
/etc/apparmor.d/.


Regards,

Christian Boltz
-- 
> Using the internet since 28.8kbit. Yes, I'm 'old'.
My first modem was 300 bits/sec, you young whipper snapper!  ;-)
[> Yamaban and James Knott in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20230206/f08f35a7/attachment-0001.sig>

More information about the pkg-apparmor-team mailing list