[Bug 626451] Re: Google video chat plugin needs an apparmor abstraction

Mon, 27 Sep 2010 13:32:05 -0700 

@Jamie

I just noticed several lines like those below in /var/log/kern.log :

Sep 27 15:13:33 simon-laptop kernel: [25083.645117] type=1400 
audit(1285614813.028:89): apparmor="DENIED" operation="exec" parent=16043 
profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/usr/bin/lsb_release" 
pid=16044 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep 27 15:13:33 simon-laptop kernel: [25083.646496] type=1400 
audit(1285614813.028:90): apparmor="DENIED" operation="open" parent=1 
profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/proc/16009/net/route" 
pid=16009 comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0

This only occurs when actually dialing so I was wrong to say that it
worked in comment #4. Please note that even with those warnings it is
possible to use the Google Talk plugin.

Here is the profile configuration I came up with that works well and
generates no AA log :

  /opt/google/talkplugin/*.so mr,
  /opt/google/talkplugin/lib/*.so mr,
  /opt/google/talkplugin/GoogleTalkPlugin ixr,
  /usr/bin/lsb_release Ux,
  @{PROC}/[0-9]*/net/route r,

I have also tried "ix" flags for lsb_release but it generated those
errors :

Sep 27 16:17:34 simon-laptop kernel: [28925.071870] type=1400 
audit(1285618654.458:123): apparmor="DENIED" operation="open" parent=18417 
profile="/usr/lib/firefox-3.6.10/firefox-*bin" 
name="/etc/python2.6/sitecustomize.py" pid=18418 comm="lsb_release" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.086222] type=1400 
audit(1285618654.468:124): apparmor="DENIED" operation="open" parent=18417 
profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/lsb-release" 
pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.086782] type=1400 
audit(1285618654.468:125): apparmor="DENIED" operation="open" parent=18417 
profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/debian_version" 
pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.088605] type=1400 
audit(1285618654.468:126): apparmor="DENIED" operation="exec" parent=18419 
profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/usr/bin/apt-cache" 
pid=18420 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

IMO, it's better to run lsb_release unconfined.

** Changed in: apparmor (Ubuntu)
       Status: Fix Released => Confirmed

-- 
Google video chat plugin needs an apparmor abstraction
https://bugs.launchpad.net/bugs/626451
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to