AppArmor

aa-genprof crashed with PermissionError in _mkstemp_inner(): [Errno 13] Permission denied: '/etc/apparmor.d/tmphtnhuikm~'

Bug #1300948 reported by Islam
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Triaged
Low
Unassigned
apparmor (Ubuntu)
Triaged
Low
Unassigned

Bug Description

running aa-genprof <application> without sudo made the crash.

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: apparmor-utils 2.8.95~2430-0ubuntu3
ProcVersionSignature: Ubuntu 3.13.0-19.40-generic 3.13.6
Uname: Linux 3.13.0-19-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Apr 1 20:45:07 2014
ExecutablePath: /usr/sbin/aa-genprof
InstallationDate: Installed on 2014-03-24 (8 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64+mac (20131016.1)
InterpreterPath: /usr/bin/python3.4
ProcCmdline: /usr/bin/python3 /usr/sbin/aa-genprof feh
ProcKernelCmdline: BOOT_IMAGE=/efi/ubuntu/vmlinuz-3.13.0-19-generic root=/dev/mapper/vg-root0 ro quiet splash
PythonArgs: ['/usr/sbin/aa-genprof', 'feh']
SourcePackage: apparmor
Syslog:

Title: aa-genprof crashed with PermissionError in _mkstemp_inner(): [Errno 13] Permission denied: '/etc/apparmor.d/tmphtnhuikm~'
UpgradeStatus: Upgraded to trusty on 2014-03-29 (3 days ago)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo vboxusers

Revision history for this message
Islam (islam) wrote :
Apport retracing service (apport)
tags: removed: need-duplicate-check
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
Jamie Strandboge (jdstrand)
information type: Private → Public
Changed in apparmor (Ubuntu):
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
importance: Medium → Low
Jamie Strandboge (jdstrand)
tags: added: aa-tools
Jamie Strandboge (jdstrand)
Changed in apparmor:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Ken Sharp (kennybobs) wrote :

A normal user has to run an application using sudo just to build a profile. This is ludicrous and counter-productive. The profile generated should optionally be saved elsewhere.

For example:

$ aa-genprof /usr/games/armagetronad

Will fail because /etc/apparmor.d is not writeable. The workaround is horrible:

$ sudo aa-genprof /usr/games/armagetronad

I really don't want to run something like armagetronad as the super-user. :-/

Revision history for this message
Christian Boltz (cboltz) wrote :

> I really don't want to run something like armagetronad as the super-user. :-/

You don't have to - I'm quite sure you misunderstand what happens ;-)

For generating a profile, you need to run two things:
a) sudo aa-genprof armagetronad - that tells aa-genprof that you want to create a profile for armagetronad, creates a very basic profile for it and loads it into the kernel (in complain mode). You need to be super-user to do that. Note that aa-genprof _does not_ run armagetronad.
b) in another terminal (or by clicking a desktop icon for it), run armagetronad. There's no need to use sudo, just run it as normal user. As a side effect, this will create a bunch of log entries.

Then you go back to the aa-genprof window and (S)can the log to update the profile.
Optionally, use armagetronad more, and (S)can the log again.
Finally, choose (F)inish to switch the profile into enforce mode.

So, long story short - aa-genprof does not run armagetronad. You have to start it yourself and can do that without super-user permissions. The only thing that needs super-user permissions is aa-genprof.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.