Apparmor SSL abstraction does not allow read access to /usr/local/share/ca-certificates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Medium
|
Jamie Strandboge | ||
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
Binary package hint: apparmor
Adding a custom CA certificate to /usr/local/
Below is an example using slapd on lucid:
ubuntu@directory:~$ sudo service slapd start
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).
Below, you can find the command line options used by this script to
run slapd. Do not forget to specify those options if you
want to look to debugging output:
slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/
ubuntu@directory:~$ tail -5 /var/log/syslog
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: @(#) $OpenLDAP: slapd 2.4.21 (Mar 30 2011 16:20:36) $#012#011buildd
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: main: TLS init def ctx failed: -1
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: slapd stopped.
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: connections_
Apr 20 15:40:52 ip-10-99-66-29 kernel: [86245.846972] type=1503 audit(130331405
ubuntu@directory:~$ sudo aa-complain /usr/sbin/slapd
Setting /usr/sbin/slapd to complain mode.
ubuntu@directory:~$ sudo service slapd start
Starting OpenLDAP: slapd.
ubuntu@directory:~$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config olcTLSCACertifi
olcTLSCACertifi
ubuntu@directory:~$ ls -l /etc/ssl/
lrwxrwxrwx 1 root root 43 2011-04-19 20:42 /etc/ssl/
In the above, slapd does not start because it cannot access the CA cert in /usr/local/
Changed in apparmor (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: patch |
Changed in apparmor (Ubuntu): | |
assignee: | Steve Beattie (sbeattie) → Jamie Strandboge (jdstrand) |
status: | Triaged → In Progress |
Changed in apparmor: | |
milestone: | none → 2.7.0 |
Steve