[Pkg-privacy-maintainers] Bug#932150: Fwd: Re[2]: Bug#932150: ricochet-im doesn't save user preferences due to broken(?) apparmor profile

Constantin Dunayev constantin_ at list.ru
Fri Jul 19 17:02:50 BST 2019



Кому: intrigeri <intrigeri at debian.org>
Дата: Пятница, 19 июля 2019, 18:57 +03:00
Тема: Re[2]: [Pkg-privacy-maintainers] Bug#932150: ricochet-im doesn't save user preferences due to broken(?) apparmor profile

Hi, 
Ricochet with new profile seems working as expected, but there are still  some 'DENIED' messages in syslog from apparmor


Jul 19 18:50:43 horse kernel: [ 1559.190204] audit: type=1400 audit(1563551443.503:29): apparmor="STATUS" operation="profile_replace" info="s
ame as current profile, skipping" profile="unconfined" name="/usr/bin/ricochet" pid=7996 comm="apparmor_parser"
Jul 19 18:50:57 horse kernel: [ 1573.503100] audit: type=1400 audit(1563551457.815:30): apparmor="DENIED" operation="open" profile="/usr/bin/
ricochet" name="/proc/sys/kernel/random/boot_id" pid=8045 comm="ricochet" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 19 18:50:57 horse kernel: [ 1573.527617] audit: type=1400 audit(1563551457.843:31): apparmor="DENIED" operation="open" profile="/usr/bin/
ricochet" name="/etc/ssl/openssl.cnf" pid=8051 comm="tor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 19 18:51:15 horse kernel: [ 1591.410341] audit: type=1400 audit(1563551475.723:32): apparmor="DENIED" operation="open" profile="/usr/bin/
ricochet" name="/proc/sys/kernel/random/boot_id" pid=8109 comm="ricochet" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 19 18:51:15 horse kernel: [ 1591.426174] audit: type=1400 audit(1563551475.739:33): apparmor="DENIED" operation="open" profile="/usr/bin/
ricochet" name="/etc/ssl/openssl.cnf" pid=8115 comm="tor" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0  


>Пятница, 19 июля 2019, 17:41 +03:00 от intrigeri < intrigeri at debian.org >:
>
>Hi,
>
>Given Buster shipped with AppArmor enabled by default, arguably this
>bug should be RC. I confirm this bug and adding these rules should fix
>this:
>
>  owner @{HOME}/.local/share/Ricochet/ rw,
>  owner @{HOME}/.local/share/Ricochet/** mrwlk,
>
>Constantin, can you please try this out? You'll need to reload the
>profile after modifying it:
>
>  sudo apparmor_parser -r /etc/apparmor.d/usr.bin.ricochet
>
>Now, on a current Debian sid default GNOME (+ Wayland) desktop, the
>profile denies tons of other stuff which triggers tons of noise in the
>logs. The attached profile fixes some (not all) of it but I'm not
>familiar enough with Ricochet to tell whether the denied access should
>be allowed or silently denied (with "deny" rules) so I'll let folks
>more familiar with Ricochet look into the fine details — and that
>should be for another bug anyway.
>
Best regards, -- 
Constantin Dunayev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20190719/f0be3f74/attachment.html>


More information about the Pkg-privacy-maintainers mailing list