Package: apparmor-profiles-extra Version: 1.33 Severity: serious Tags: patch
Hi, see attachment, your config which doesn't allow link calls, which sporadically breaks operation of apt-cacher-ng in unexpected ways. The suggested change should probably be improved, I am no apparmor expert. [ 1451.927739] audit: type=1400 audit(1622048089.493:85): apparmor="ALLOWED" operation="link" profile="apt-cacher-ng" name="/var/cache/apt-cacher-ng/debrep/dists/unstable/InRelease.1622048089" pid=36785 comm="apt-cacher-ng" requested_mask="l" denied_mask="l" fsuid=121 ouid=121 target="/var/cache/apt-cacher-ng/debrep/dists/unstable/InRelease" Eduard. -- System Information: Debian Release: 11.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.12.0+ (SMP w/12 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor-profiles-extra depends on: ii apparmor 2.13.6-10 apparmor-profiles-extra recommends no packages. apparmor-profiles-extra suggests no packages. -- Configuration Files: /etc/apparmor.d/usr.sbin.apt-cacher-ng changed: @{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng profile apt-cacher-ng /usr/sbin/apt-cacher-ng { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/openssl> #include <abstractions/user-tmp> /etc/apt-cacher-ng/ r, /etc/apt-cacher-ng/** r, /etc/hosts.{deny,allow} r, /usr/sbin/apt-cacher-ng mr, /var/lib/apt-cacher-ng/** r, /{,var/}run/apt-cacher-ng/* rw, @{APT_CACHER_NG_CACHE_DIR}/ r, @{APT_CACHER_NG_CACHE_DIR}/** rwl, /var/log/apt-cacher-ng/ r, /var/log/apt-cacher-ng/* rw, /{,var/}run/systemd/notify w, /{usr/,}bin/dash ixr, /{usr/,}bin/ed ixr, /{usr/,}bin/red ixr, /{usr/,}bin/sed ixr, /usr/lib/apt-cacher-ng/acngtool ixr, # Allow serving local documentation /etc/mime.types r, /usr/share/doc/apt-cacher-ng/html/** r, # used by libevent @{PROC}/sys/kernel/random/uuid r, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.apt-cacher-ng> } -- no debconf information
From 5eeca40ec3c93dc0d91ce3db0d9f652310087a12 Mon Sep 17 00:00:00 2001 From: Eduard Bloch <bl...@debian.org> Date: Fri, 28 May 2021 07:11:52 +0200 Subject: [PATCH] Stop breaking latest apt-cacher-ng by blocking link operations --- profiles/usr.sbin.apt-cacher-ng | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/usr.sbin.apt-cacher-ng b/profiles/usr.sbin.apt-cacher-ng index 6d2f5ff..c24c2c5 100644 --- a/profiles/usr.sbin.apt-cacher-ng +++ b/profiles/usr.sbin.apt-cacher-ng @@ -18,7 +18,7 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng { /var/lib/apt-cacher-ng/** r, /{,var/}run/apt-cacher-ng/* rw, @{APT_CACHER_NG_CACHE_DIR}/ r, - @{APT_CACHER_NG_CACHE_DIR}/** rw, + @{APT_CACHER_NG_CACHE_DIR}/** rwl, /var/log/apt-cacher-ng/ r, /var/log/apt-cacher-ng/* rw, /{,var/}run/systemd/notify w, -- 2.32.0.rc0