Control: reassign -1 apparmor-profiles-extra Control: found -1 1.19 Control: tag -1 + moreinfo
Ritesh Raj Sarraf: > [ 5093.351969] audit: type=1400 audit(1527574882.949:79): apparmor="DENIED" > operation="open" profile="/usr/sbin/apt-cacher-ng" > name="/var/cache/apt/archives/" > pid=17428 comm="apt-cacher-ng" requested_mask="r" denied_mask="r" fsuid=128 > ouid=0 > [ 5207.599652] audit: type=1400 audit(1527574997.198:80): apparmor="DENIED" > operation="open" profile="/usr/sbin/apt-cacher-ng" > name="/var/cache/apt/archives/" > pid=17428 comm="apt-cacher-ng" requested_mask="r" denied_mask="r" fsuid=128 > ouid=0 Thanks for this report! > I noticed these denial messages in my system logs. The > apparmor-profiles-extra package includes a profile for `apt-cacher-ng`. … so reassigning to that package. > The only additional chagne I have is about cache imports, which stays > in "_import", which is again a symlink to the apt cache direcotry: I think this local change of yours (to the apt-cacher-ng configuration) requires a local change to the AppArmor profile: there's no way the profile can support out-of-the-box all such local customization while providing meaningful confinement of the service. So I suggest you add to /etc/apparmor.d/local/usr.sbin.apt-cacher-ng the following lines: /var/cache/apt/archives/ r, /var/cache/apt/archives/** r, … and then reload the profile: sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.apt-cacher-ng Please let us know if that's enough to fix the problem for you. Cheers, -- intrigeri
