alias rules being only partially applied

Bug #888077 reported by John Johansen
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

As reported by Christian Boltz

alias rules broken for /{,var/}run/


lots of profiles contain rules for /{,var/}run/ nowadays.

Unfortunately that breaks if /var is a symlink (to /home/sys-var in my
case) even if a correct alias rule is setup.

I'll paste the details from #apparmor:

[22:00] <cboltz> I get unexpected DENIED events in combination with aliases:
[22:00] <cboltz> apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/avahi-daemon" name="/home/sys-var/run/avahi-daemon/" pid=14842 comm="avahi-daemon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[22:00] <cboltz> but I have in tunables/alias
[22:01] <cboltz> alias /var/ -> /home/sys-var/,
[22:01] <cboltz> and the profile for avahi-daemon allows write access to /var/run/avahi-daemon/ (original profile as in bzr)
[22:01] <cboltz> is this a known or a new bug?
[22:52] <sbeattie> cboltz: sorry, jjohansen and I are at the Ubuntu Developer Summit this week, so we're bouncing on and off irc.
[22:53] <sbeattie> cboltz: not a known bug to me
[22:54] <cboltz> then it must be a new one
[22:56] <cboltz> I just found what causes it
[22:57] <sbeattie> cboltz: oh?
[22:57] <cboltz> /{,var/}run/avahi-daemon/ w, fails the alias replacement
[22:57] <cboltz> /var/run/avahi-daemon/ w, works
[23:00] <sbeattie> doh
[23:01] <sbeattie> that's a result of aliases being more like a pre-processing step than a real semantic change.
[23:02] <cboltz> looks like it should be a real semantic change *g*
[23:03] <sbeattie> Feel free to raise the issue on the list or file a bug, though I'm not sure that it'd be an easy thing to address.
[23:03] <cboltz> I'll send a mail
[23:04] <sbeattie> cool, thanks!
[23:04] <cboltz> just tell John that I found a bug again, and then enjoy the developer summit
[23:04] <sbeattie> hehe
[23:06] * sbeattie vanishes again

Tags: aa-parser
Changed in apparmor:
importance: Undecided → Critical
assignee: nobody → John Johansen (jjohansen)
Changed in apparmor:
importance: Critical → High
status: New → Triaged
Christian Boltz (cboltz)
tags: added: aa-parser
Changed in apparmor:
assignee: John Johansen (jjohansen) → nobody
Revision history for this message
Christian Boltz (cboltz) wrote :

Any news on this?

John proposed a patch long ago (2013-07-08, "[Patch] Bug 888077 - aliases being partially applied"), but it seems it was lost again :-(

Revision history for this message
John Johansen (jjohansen) wrote : Re: [Bug 888077] Re: alias rules being only partially applied

On 01/30/2015 03:00 AM, Christian Boltz wrote:
> Any news on this?
> John proposed a patch long ago (2013-07-08, "[Patch] Bug 888077 -
> aliases being partially applied"), but it seems it was lost again :-(
Not lost, I have reworked it some and have more work to do on it.

Partly I have been holding off on it for the userspace dfa verification
frame work, so we can have better testing before rolling out backend

That work is also mostly done and I just need to make some time and
get it out the door.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.