alias rules being only partially applied

Bug #888077 reported by John Johansen on 2011-11-09
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

As reported by Christian Boltz

alias rules broken for /{,var/}run/


lots of profiles contain rules for /{,var/}run/ nowadays.

Unfortunately that breaks if /var is a symlink (to /home/sys-var in my
case) even if a correct alias rule is setup.

I'll paste the details from #apparmor:

[22:00] <cboltz> I get unexpected DENIED events in combination with aliases:
[22:00] <cboltz> apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/avahi-daemon" name="/home/sys-var/run/avahi-daemon/" pid=14842 comm="avahi-daemon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[22:00] <cboltz> but I have in tunables/alias
[22:01] <cboltz> alias /var/ -> /home/sys-var/,
[22:01] <cboltz> and the profile for avahi-daemon allows write access to /var/run/avahi-daemon/ (original profile as in bzr)
[22:01] <cboltz> is this a known or a new bug?
[22:52] <sbeattie> cboltz: sorry, jjohansen and I are at the Ubuntu Developer Summit this week, so we're bouncing on and off irc.
[22:53] <sbeattie> cboltz: not a known bug to me
[22:54] <cboltz> then it must be a new one
[22:56] <cboltz> I just found what causes it
[22:57] <sbeattie> cboltz: oh?
[22:57] <cboltz> /{,var/}run/avahi-daemon/ w, fails the alias replacement
[22:57] <cboltz> /var/run/avahi-daemon/ w, works
[23:00] <sbeattie> doh
[23:01] <sbeattie> that's a result of aliases being more like a pre-processing step than a real semantic change.
[23:02] <cboltz> looks like it should be a real semantic change *g*
[23:03] <sbeattie> Feel free to raise the issue on the list or file a bug, though I'm not sure that it'd be an easy thing to address.
[23:03] <cboltz> I'll send a mail
[23:04] <sbeattie> cool, thanks!
[23:04] <cboltz> just tell John that I found a bug again, and then enjoy the developer summit
[23:04] <sbeattie> hehe
[23:06] * sbeattie vanishes again

Changed in apparmor:
importance: Undecided → Critical
assignee: nobody → John Johansen (jjohansen)
Changed in apparmor:
importance: Critical → High
status: New → Triaged
Christian Boltz (cboltz) on 2014-10-15
tags: added: aa-parser
Changed in apparmor:
assignee: John Johansen (jjohansen) → nobody
Christian Boltz (cboltz) wrote :

Any news on this?

John proposed a patch long ago (2013-07-08, "[Patch] Bug 888077 - aliases being partially applied"), but it seems it was lost again :-(

On 01/30/2015 03:00 AM, Christian Boltz wrote:
> Any news on this?
> John proposed a patch long ago (2013-07-08, "[Patch] Bug 888077 -
> aliases being partially applied"), but it seems it was lost again :-(
Not lost, I have reworked it some and have more work to do on it.

Partly I have been holding off on it for the userspace dfa verification
frame work, so we can have better testing before rolling out backend

That work is also mostly done and I just need to make some time and
get it out the door.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers