Bug#946931: [Pkg-kde-extras] Bug#946931: Bug#946931: quassel-core: apparmor denials

Sat, 11 Jan 2020 07:03:54 -0800 

On 11.01.20 02:58, Scott Kitterman wrote:

I gave this a try and I still get apparmor denials:

Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400
audit(1578707653.245:28): apparmor="DENIED" operation="open" profile="/usr/bin/
quasselcore" name="/proc/sys/kernel/random/boot_id" pid=1588
comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0

Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400
audit(1578707653.245:29): apparmor="DENIED" operation="open" profile="/usr/bin/
quasselcore" name="/var/lib/dbus/machine-id" pid=1588 comm="quasselcore"
requested_mask="r" denied_mask="r" fsuid=116 ouid=0

Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400
audit(1578707653.257:30): apparmor="DENIED" operation="link" profile="/usr/bin/
quasselcore" name="/var/lib/quassel/quasselcore.conf" pid=1588
comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116
target="/var/lib/quassel/#523668"

Suggestions?


Are you sure you have reloaded the AppArmor profile (apparmor_parser -r
/etc/apparmor.d/usr.bin.quasselcore)?
Maybe restart quasselcore if that still does not work.

I can't see how these denials can happen with the updated profile.

On 11.01.20 14:49, Thomas Schneider wrote:
> I agree on the change '/var/lib/quassel/** rwkl' (although AA convention
> seems to be 'rwkl', but that’s just cosmetic), but I would suggest
> adding '#include <abstractions/dbus-session-strict>' instead of
> specifying the IDs manually.

quasselcore doesn't use dbus. Qt just happens to read the the dbus machine-id
file. The intent for the dbus-session-strict abstraction is "allow access to
the dbus session bus" so that's not appropriate for quasselcore.

> Said 'abstractions/dbus-session-strict' does not allow access to
> '@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages
> about that after including the abstraction.  I haven’t looked any
> further into it, but maybe it isn’t needed?

These files are only read when quasselcore updates its config which likely
doesn't happen very often.

Cheers,
Felix

Reply via email to