[Bug 767308] [NEW] Apparmor SSL abstraction does not allow read access to /usr/local/share/ca-certificates

Wed, 20 Apr 2011 09:00:57 -0700 

Public bug reported:

Binary package hint: apparmor

Adding a custom CA certificate to /usr/local/share/ca-certificates and
registering it using /usr/sbin/update-ca-certificates, daemon that have
been apparmor-ified  (such as slapd) cannot access the custom CA
certificate.

Below is an example using slapd on lucid:

ubuntu@directory:~$ sudo service slapd start
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).

Below, you can find the command line options used by this script to 
run slapd. Do not forget to specify those options if you
want to look to debugging output:
  slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/ 
ubuntu@directory:~$ tail -5 /var/log/syslog 
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: @(#) $OpenLDAP: slapd 2.4.21 (Mar 
30 2011 16:20:36) 
$#012#011buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: main: TLS init def ctx failed: -1
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: slapd stopped.
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: connections_destroy: nothing to 
destroy.
Apr 20 15:40:52 ip-10-99-66-29 kernel: [86245.846972] type=1503 
audit(1303314052.426:36):  operation="open" pid=8070 parent=8064 
profile="/usr/sbin/slapd" requested_mask="::r" denied_mask="::r" fsuid=106 
ouid=0 name="/usr/local/share/ca-certificates/cacert.crt"
ubuntu@directory:~$ sudo aa-complain /usr/sbin/slapd
Setting /usr/sbin/slapd to complain mode.
ubuntu@directory:~$ sudo service slapd start
Starting OpenLDAP: slapd.
ubuntu@directory:~$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config 
olcTLSCACertificateFile 2>/dev/null | grep cacert 
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
ubuntu@directory:~$ ls -l /etc/ssl/certs/cacert.pem 
lrwxrwxrwx 1 root root 43 2011-04-19 20:42 /etc/ssl/certs/cacert.pem -> 
/usr/local/share/ca-certificates/cacert.crt


In the above, slapd does not start because it cannot access the CA cert in 
/usr/local/share/ca-certificates/cacert.crt, but it will start just fine if it 
is in complain mode.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/767308

Title:
  Apparmor SSL abstraction does not allow read access to
  /usr/local/share/ca-certificates

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to