apparmor denials for gnutls configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
gnutls library can be configured using /etc/gnutls/config for example to allow small keys and TLS versions below v1.2
however, if application is confined and has an apparmor profile and uses gnutls it will ignore such file, if it is not allowed to read it.
For example:
[ 382.586297] audit: type=1400 audit(162806866
[25379.358122] audit: type=1400 audit(162809366
[25460.754092] audit: type=1400 audit(162809374
How can we allow to read /etc/gnutls/config for all apps that use gnutls?
We already have an abstraction (ie a policy fragment) for openssl - https:/ /gitlab. com/apparmor/ apparmor/ -/blob/ master/ profiles/ apparmor. d/abstractions/ openssl - perhaps a similar one should be created for gnutls and then this can be #include'd into the profiles for the various applications that wish to use gnutls.