On Saturday, January 11, 2020 9:59:53 AM EST Felix Geyer wrote: > On 11.01.20 02:58, Scott Kitterman wrote: > > I gave this a try and I still get apparmor denials: > > > > Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400 > > audit(1578707653.245:28): apparmor="DENIED" operation="open" > > profile="/usr/bin/ quasselcore" name="/proc/sys/kernel/random/boot_id" > > pid=1588 > > comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 > > > > Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400 > > audit(1578707653.245:29): apparmor="DENIED" operation="open" > > profile="/usr/bin/ quasselcore" name="/var/lib/dbus/machine-id" pid=1588 > > comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 > > > > Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400 > > audit(1578707653.257:30): apparmor="DENIED" operation="link" > > profile="/usr/bin/ quasselcore" name="/var/lib/quassel/quasselcore.conf" > > pid=1588 > > comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116 > > target="/var/lib/quassel/#523668" > > > > Suggestions? > > Are you sure you have reloaded the AppArmor profile (apparmor_parser -r > /etc/apparmor.d/usr.bin.quasselcore)? > Maybe restart quasselcore if that still does not work. > > I can't see how these denials can happen with the updated profile.
That did it. I'd neglected to tell apparmor to load the updated profile.
> On 11.01.20 14:49, Thomas Schneider wrote:
> > I agree on the change '/var/lib/quassel/** rwkl' (although AA convention
> > seems to be 'rwkl', but that’s just cosmetic), but I would suggest
> > adding '#include <abstractions/dbus-session-strict>' instead of
> > specifying the IDs manually.
>
> quasselcore doesn't use dbus. Qt just happens to read the the dbus
> machine-id file. The intent for the dbus-session-strict abstraction is
> "allow access to the dbus session bus" so that's not appropriate for
> quasselcore.
>
> > Said 'abstractions/dbus-session-strict' does not allow access to
> > '@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages
> > about that after including the abstraction. I haven’t looked any
> > further into it, but maybe it isn’t needed?
>
> These files are only read when quasselcore updates its config which likely
> doesn't happen very often.
>
> Cheers,
> Felix
Thanks. Now that I've successfully tested it, I'll upload.
Scott K
signature.asc
Description: This is a digitally signed message part.
