AppArmor unrequested reply protection generates unallowable denials
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dbus (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Starting with utopic's dbus 1.8.6-1ubuntu1 package, the new AppArmor unrequested reply protections can generate some denials that can't easily be allowed in policy. For example, when running a confined pasaffe, you see these denials when starting and closing pasaffe:
apparmor="DENIED" operation=
It isn't obvious how to construct an AppArmor D-Bus rule to allow that operation. A bare "dbus," rule allows it but that's not acceptable for profiles implementing tight D-Bus confinement.
The code that implements unrequested reply protections should be reviewed for issues and, if everything looks good there, investigations into how to allow the operation that triggers the above denial should occur.
tags: | added: application-confinement |
Changed in dbus (Ubuntu): | |
status: | In Progress → Triaged |
FYI, we shouldn't try to land 1.8.6 in ubuntu-rtm until this bug is fixed.