AppArmor

aa-logprof breaks external hats

Bug #1432875 reported by Christian Boltz on 2015-03-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

type=AVC msg=audit(1426541576.775:281): apparmor="DENIED" operation="open" profile="/usr/lib64/thunderbird/thunderbird.sh///usr/lib64/thunderbird/thunderbird-bin" name="/home/foo/" pid=2564 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

==> apparmor.d/thunderbird-child <==
profile /usr/lib64/thunderbird/thunderbird.sh///usr/lib64/thunderbird/thunderbird-bin {
/bar r,
}

==> apparmor.d/thunderbird-stallmanu-2015-03-16 <==
/usr/lib64/thunderbird/thunderbird.sh {
/foo r,
}

Now run aa-logprof, and you'll get

==> apparmor.d/thunderbird-child <==
profile /usr/lib64/thunderbird/thunderbird.sh///usr/lib64/thunderbird/thunderbird-bin {
/bar r,
}

==> apparmor.d/thunderbird-stallmanu-2015-03-16 <==
/usr/lib64/thunderbird/thunderbird.sh {
/foo r,

  ^/usr/lib64/thunderbird/thunderbird-bin {
    /home/*/ r,
  }
}

Needless to say that /home/*/ r, should be added to the thunderbird-child profile...

Tags:

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.