Ubuntu
apparmor package

Error with guest-session and apparmor when tmp is not in /

Bug #295557 reported by loko
2
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

Hello,

i've put the tmp-directory to /home/tmp and made a symlink to /tmp.

Now i cannot start a guest-session anymore. i get the following errors:

.xsession-errors:

/etc/gdm/Xsession: Beginning session setup...
xrdb: Permission denied
xrdb: Can't open display ':20'
Can't create dir /tmp/guest-home.T13885/Desktop
...
...
...
Setting IM through /etc/X11/xinit/xinput.d/all_ALL linked to /etc/X11/xinit/xinput.d/default.
mkdtemp: private socket dir: Permission denied

and the other messages:

Nov 8 11:34:36 user-laptop kernel: [ 1824.823565] type=1503 audit(1226140476.352:36): operation="inode_permission" requested_mask="::w" denied_mask="::w" fsuid=112 name="/home/tmp/.X11-unix/X20" pid=9189 profile="/usr/share/gdm/guest-session/Xsession"
Nov 8 11:34:36 user-laptop kernel: [ 1824.843012] type=1503 audit(1226140476.372:37): operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=112 name="/home/tmp/guest-home.Vj9080/Desktop/" pid=9202 profile="/usr/share/gdm/guest-session/Xsession"
Nov 8 11:34:36 user-laptop kernel: [ 1824.846338] type=1503 audit(1226140476.376:38): operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=112 name="/home/tmp/guest-home.Vj9080/Desktop/" pid=9202 profile="/usr/share/gdm/guest-session/Xsession"
Nov 8 11:34:36 user-laptop kernel: [ 1824.849558] type=1503 audit(1226140476.380:39): operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=112 name="/home/tmp/guest-home.Vj9080/Vorlagen/" pid=9202 profile="/usr/share/gdm/guest-session/Xsession"
Nov 8 11:34:36 user-laptop kernel: [ 1824.852762] type=1503 audit(1226140476.384:40): operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=112 name=2F686F6D652F746D702F67756573742D686F6D652E566A393038302FC3966666656E746C6963682F pid=9202 profile="/usr/share/gdm/guest-session/Xsession"
Nov 8 11:34:36 user-laptop kernel: [ 1824.856531] type=1503 audit(1226140476.388:41): operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=112 name="/home/tmp/guest-home.Vj9080/Dokumente/" pid=9202 profile="/usr/share/gdm/guest-session/Xsession"
Nov 8 11:34:36 user-laptop kernel: [ 1824.859818] type=1503 audit(1226140476.388:42): operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=112 name="/home/tmp/guest-home.Vj9080/Musik/" pid=9202 profile="/usr/share/gdm/guest-session/Xsession"
Nov 8 11:34:36 user-laptop kernel: [ 1824.862958] type=1503 audit(1226140476.392:43): operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=112 name="/home/tmp/guest-home.Vj9080/Bilder/" pid=9202 profile="/usr/share/gdm/guest-session/Xsession"
Nov 8 11:34:36 user-laptop kernel: [ 1824.866083] type=1503 audit(1226140476.396:44): operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=112 name="/home/tmp/guest-home.Vj9080/Videos/" pid=9202 profile="/usr/share/gdm/guest-session/Xsession"
Nov 8 11:34:36 user-laptop kernel: [ 1824.884700] type=1503 audit(1226140476.416:45): operation="inode_mkdir" requested_mask="w::" denied_mask="w::" fsuid=112 name="/home/tmp/ssh-PobKki9129/" pid=9129 profile="/usr/share/gdm/guest-session/Xsession"

deleting the symlink and put tmp back to /tmp solves the problem.

So it is a problem with the apparmor-profiles

Revision history for this message
loko (arph) wrote :

Sorry,

this does not work because i linked /tmp with a symlink to /home/tmp

Instead of symlink it only works (in my case) with: mount -o bind /home/tmp /tmp

loko (arph)
Changed in apparmor:
status: New → Invalid
Revision history for this message
Steve Beattie (sbeattie) wrote : Re: [Bug 295557] Re: Error with guest-session and apparmor when tmp is not in /

On Sat, Nov 08, 2008 at 02:38:51PM -0000, loko wrote:
> this does not work because i linked /tmp with a symlink to /home/tmp
>
> Instead of symlink it only works (in my case) with: mount -o bind
> /home/tmp /tmp

I hesitate to mention this due to some caveats that I'll list below, but
AppArmor in intrepid has some additional functionality that can make dealing
with symlinked directories easier. The ability to add alias rules was
added, so that you could state something like the following:

  alias /tmp -> /home/tmp,

The caveats are:

  - In intrepid, the alias rules need to be *the first* rules to
    occur. These must come before variable declarations or program
    declarations or a program name. #include's do get pre-processed before
    alias rules are dealt with, so alias rules can occur at the beginning
    of the first included file; e.g. adding alias rules to the beginning
    of /etc/apparmor.d/tunables/global probably makes sense. (This is
    a bug in intrepid's apparmor; it has been fixed upstream so that
    variable declarations and alias rules can be intermixed, though both
    must occur before a profile definition for programs are declared.)

  - The profile tools like aa-genprof are unlikely to be aware of alias
    rules and it's possible that using the tools may cause the alias
    rules to be stripped out of the policy. (However, the tools do not
    modify files that are included, so again placing alias rules in
    tunables/global is probably the safest bet.) If you need to use the
    aa-genprof or aa-logprof tools to manage your profiles, you likely
    do not want to use alias rules yet.

  - It's essentially a macro substitution, so that the example alias
    rule given above would map both /tmp to /home/tmp as well as
    /tmptation to /home/tmptation. The safer declaration would be to do:

      alias /tmp/ -> /home/tmp/,

    as that will only apply to things in /tmp/.

  - Duplicate mappings are detected by the policy parser, but
    overlapping mappings are not, and are likely not handled correctly;
    e.g.:

      alias /usr -> /User,
      alias /usr/lib -> /Libraries,

    is not detected and results in undefined behavior.

  - It's ultimately not a well-tested out feature; there may be additional
    bugs or unexpected behavior if alias rules are used. But testing
    this would be very much appreciated by upstream, as well as feedback
    as to the utility of this feature.

Hope this helps. Thanks.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.