Bug#704680: tlsdate: AppArmor profile does not support multiarch library locations => tlsdated does not start

Thu, 31 Oct 2013 03:51:49 -0700 

intrig...@debian.org:
> Package: tlsdate
> Version: 0.0.5-2
> Severity: important
> 
> Hi,
> 
> I'm starting tlsdate with "sudo service tlsdate start" on a Wheezy
> amd64 system with AppArmor enabled, and:
> 
> 1. tlsdated does not start, hence the >>normal severity.
> 2. my syslog reads:
>    kernel: [21040.419293] type=1400 audit(1365081871.989:61):
>    apparmor="DENIED" operation="open" parent=1
>    profile="/usr/bin/tlsdated"
>    name="/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0" pid=6341
>    comm="tlsdated" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 
> It does not look entirely scandalous that tlsdated wants to load
> libcrypto from this location, given:
> 
> $ ldd /usr/bin/tlsdated | grep libcrypto
>       libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 
> (0x00007f743b798000)
> 

I've updated the AppArmor profile to include /usr/lib/x86_64-linux-gnu/
in git commit 7976210871063f98d001221a7eac6901dfd47f81. This will go
into the next tlsdate release.

> Having a look at /etc/apparmor.d/usr.bin.tlsdate, it's obvious why.
> Most profiles in there have lines such as:
> 
>   # Allow mapping of shared libraries
>   /lib/* rm,
>   /lib32/* rm,
>   /lib64/* rm,
>   /usr/lib/* rm,
>   /lib/x86_64-linux-gnu/* rm,
> 
> (with variations on this theme, some have /usr/local/lib/* too, some
> haven't, but I digress :)

I've added this to each stanza:

/usr/lib/x86_64-linux-gnu/* rm,

> 
> Unfortunately, this does not support multiarch library directories.
> 
> I suggest using the @{multiarch} profile variable, as most other
> profiles I have installed do, instead of trying to do it by hand.
> 
> See e.g. /etc/apparmor.d/abstractions/base for nice examples of how
> one may easily support all architectures that Debian supports :)
> 

I'd be interested in researching this a bit later - how does this fail?

> I suspect that /usr/bin/tlsdate-helper will need access to
> /usr/lib/@{multiarch}/* too, for the same reason.
> 
> (To end with, and digressing again, it looks like the few profiles
> that are in usr.bin.tlsdate could benefit from some factorization into
> abstractions/, possibly even using existing abstractions if they're
> not to wide for your taste. Shall I file a wishlist bug about it?)
> 

Ideally, I'd prefer a patch. :)


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to