[apparmor] [Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
so, i think it's time to define targets: precise, quantal etc. -- You received this bug notification because you are a member of AppArmor Developers, which is the registrant for AppArmor Profiles. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype Status in AppArmor Profiles: Confirmed Status in “apparmor” package in Ubuntu: Confirmed Bug description: When usr.bin.skype profile from apparmor-profiles package is enabled skype is unable to start. I use Ubuntu 11.04 i386 apt-cache policy apparmor-profiles apparmor-profiles: Installed: 2.6.1-0ubuntu3 Candidate: 2.6.1-0ubuntu3 Version table: *** 2.6.1-0ubuntu3 0 500 http://de.archive.ubuntu.com/ubuntu/ natty/universe i386 Packages 100 /var/lib/dpkg/status apt-cache policy skype skype: Installed: 2.2.0.35-0natty1 Candidate: 2.2.0.35-0natty1 Version table: *** 2.2.0.35-0natty1 0 500 http://archive.canonical.com/ubuntu/ natty/partner i386 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
No :) I started testing skype profile on Precise and it's not perfect yet. First of all we need to add following line: owner /run/shm/pulse-shm* m, Then there are some problems with fontconfig: May 8 15:01:52 ithink kernel: [10344.456841] type=1400 audit(1336482112.881:285): apparmor=STATUS operation=profile_replace name=/usr/bin/skype pid=14167 comm=apparmor_parser May 8 15:02:19 ithink kernel: [10371.245558] type=1400 audit(1336482139.669:286): apparmor=DENIED operation=chmod parent=14378 profile=/usr/bin/skype name=/var/cache/fontconfig/ pid=14483 comm=skype requested_mask=w denied_mask=w fsuid=1000 ouid=0 May 8 15:02:19 ithink kernel: [10371.245615] type=1400 audit(1336482139.669:287): apparmor=DENIED operation=mknod parent=14378 profile=/usr/bin/skype name=/home/ifred/.fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le32d4.cache-3.TMP-L2czW8 pid=14483 comm=skype requested_mask=c denied_mask=c fsuid=1000 ouid=1000 May 8 15:02:19 ithink kernel: [10371.245733] type=1400 audit(1336482139.669:288): apparmor=DENIED operation=chmod parent=14378 profile=/usr/bin/skype name=/var/cache/fontconfig/ pid=14483 comm=skype requested_mask=w denied_mask=w fsuid=1000 ouid=0 May 8 15:02:19 ithink kernel: [10371.245761] type=1400 audit(1336482139.669:289): apparmor=DENIED operation=mknod parent=14378 profile=/usr/bin/skype name=/home/ifred/.fontconfig/4c599c202bc5c08e2d34565a40eac3b2-le32d4.cache-3.TMP-RndeFm pid=14483 comm=skype requested_mask=c denied_mask=c fsuid=1000 ouid=1000 May 8 15:02:19 ithink kernel: [10371.245898] type=1400 audit(1336482139.669:290): apparmor=DENIED operation=chmod parent=14378 profile=/usr/bin/skype name=/var/cache/fontconfig/ pid=14483 comm=skype requested_mask=w denied_mask=w fsuid=1000 ouid=0 May 8 15:02:19 ithink kernel: [10371.245926] type=1400 audit(1336482139.669:291): apparmor=DENIED operation=mknod parent=14378 profile=/usr/bin/skype name=/home/ifred/.fontconfig/c855463f699352c367813e37f3f70ea7-le32d4.cache-3.TMP-4xjUnA pid=14483 comm=skype requested_mask=c denied_mask=c fsuid=1000 ouid=1000 May 8 15:02:19 ithink kernel: [10371.246046] type=1400 audit(1336482139.669:292): apparmor=DENIED operation=chmod parent=14378 profile=/usr/bin/skype name=/var/cache/fontconfig/ pid=14483 comm=skype requested_mask=w denied_mask=w fsuid=1000 ouid=0 May 8 15:02:19 ithink kernel: [10371.246074] type=1400 audit(1336482139.669:293): apparmor=DENIED operation=mknod parent=14378 profile=/usr/bin/skype name=/home/ifred/.fontconfig/57e423e26b20ab21d0f2f29c145174c3-le32d4.cache-3.TMP-8muB6N pid=14483 comm=skype requested_mask=c denied_mask=c fsuid=1000 ouid=1000 May 8 15:02:19 ithink kernel: [10371.246186] type=1400 audit(1336482139.669:294): apparmor=DENIED operation=chmod parent=14378 profile=/usr/bin/skype name=/var/cache/fontconfig/ pid=14483 comm=skype requested_mask=w denied_mask=w fsuid=1000 ouid=0 May 8 15:02:25 ithink kernel: [10376.885225] audit_printk_skb: 216 callbacks suppressed May 8 15:02:25 ithink kernel: [10376.885230] type=1400 audit(1336482145.309:367): apparmor=DENIED operation=open parent=14378 profile=/usr/bin/skype name=/home/ifred/.mozilla/ pid=14501 comm=skype requested_mask=r denied_mask=r fsuid=1000 ouid=1000 May 8 15:02:26 ithink kernel: [10377.625972] type=1400 audit(1336482146.049:368): apparmor=DENIED operation=open parent=14378 profile=/usr/bin/skype name=/lib/ pid=14483 comm=skype requested_mask=r denied_mask=r fsuid=1000 ouid=0 May 8 15:02:26 ithink kernel: [10377.626032] type=1400 audit(1336482146.049:369): apparmor=DENIED operation=open parent=14378 profile=/usr/bin/skype name=/usr/lib/ pid=14483 comm=skype requested_mask=r denied_mask=r fsuid=1000 ouid=0 May 8 15:02:26 ithink kernel: [10377.626070] type=1400 audit(1336482146.049:370): apparmor=DENIED operation=open parent=14378 profile=/usr/bin/skype name=/usr/local/lib/ pid=14483 comm=skype requested_mask=r denied_mask=r fsuid=1000 ouid=0 Any suggestions? ** Tags added: natty -- You received this bug notification because you are a member of AppArmor Developers, which is the registrant for AppArmor Profiles. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype Status in AppArmor Profiles: Confirmed Status in “apparmor” package in Ubuntu: Confirmed Bug description: When usr.bin.skype profile from apparmor-profiles package is enabled skype is unable to start. I use Ubuntu 11.04 i386 apt-cache policy apparmor-profiles apparmor-profiles: Installed: 2.6.1-0ubuntu3 Candidate: 2.6.1-0ubuntu3 Version table: *** 2.6.1-0ubuntu3 0 500 http://de.archive.ubuntu.com/ubuntu/ natty/universe i386 Packages 100 /var/lib/dpkg/status apt-cache policy skype skype: Installed: 2.2.0.35-0natty1 Candidate: 2.2.0.35-0natty1 Version table: *** 2.2.0.35-0natty1 0 500 http://archive.canonical.com/ubuntu/ natty/partner i386 Packages 100
[apparmor] [patch] techdoc.pdf improvements
Hello, the attached patch contains various changes in building techdoc.tex: - make table of contents, footnotes etc. clickable hyperlinks - use timestamp of techdoc.tex (instead of build time) as creationdate in the PDF metadata - don't include build date on first page of the PDF - make clean: - delete techdoc.out (created by pdftex) - fix deletion of techdoc.txt (was techdo_r_.txt) The initial target was to get reproduceable PDF builds (therefore the timestamp-related changes), the other things came up during discussing this patch with David Haller. The only remaining difference in the PDF from build to build is the /ID line. This line can't be controlled in pdflatex and is now filtered out by build-compare in the openSUSE build service (bnc#760867). Credits go to David Haller for writing large parts of this patch (but he didn't notice the techdo_r_.txt ;-) Signed-Off-By: Christian Boltz appar...@cboltz.de And now let me explain why bzr blame is named bzr _blame_ ;-)) # bzr blame parser/Makefile |grep techdor 1522 kees.co | 60 rm -rf techdoc.aux techdoc.log techdoc.pdf techdoc.toc techdor.txt techdoc/ # bzr log -r1522 revno: 1522 committer: Kees Cook kees.c...@canonical.com branch nick: master timestamp: Wed 2010-11-03 17:04:43 -0700 message: This patch cleans up the testsuite output harder, and removes a bashism in another clean target. Kees, looks like removing bashisms is a bad idea *g,dr* (and I wonder nobody noticed the not-deleted techdoc.txt in bzr st output since november 2010...) Regards, Christian Boltz PS: Non-random sig ;-) -- [PDF] Fipptehler korrigiert -- wie konnten wir das bisher uebersehen ;) - xsl:if test=position()=1Schüsselworte: /xsl:if + xsl:if test=position()=1Schlüsselworte: /xsl:if [David Haller in suse-linux-faq] Various changes in building techdoc.tex: - make table of contents, footnotes etc. clickable hyperlinks - use timestamp of techdoc.tex (instead of build time) as creationdate in the PDF metadata - don't include build date on first page of the PDF - make clean: - delete techdoc.out (created by pdftex) - fix deletion of techdoc.txt (was techdo_r_.txt) The initial target was to get reproduceable PDF builds (therefore the timestamp-related changes), the other things came up during discussing this patch with David Haller. The only remaining difference in the PDF from build to build is the /ID line. This line can't be controlled in pdflatex and is now filtered out by build-compare in the openSUSE build service (bnc#760867). Credits go to David Haller for writing large parts of this patch (but he didn't notice the techdo_r_.txt ;-) Signed-Off-By: Christian Boltz appar...@cboltz.de === modified file 'parser/Makefile' --- parser/Makefile 2012-03-22 20:19:27 + +++ parser/Makefile 2012-05-08 18:40:10 + @@ -118,7 +118,8 @@ $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES=${SRCS} ${HDRS} techdoc.pdf: techdoc.tex - while pdflatex $ ${BUILD_OUTPUT} || exit 1 ; \ + timestamp=$(shell date +%Y%m%d%H%M%S+02'00' -r $ );\ + while pdflatex \def\fixedpdfdate{$$timestamp}\input $ ${BUILD_OUTPUT} || exit 1 ; \ grep -q Label(s) may have changed techdoc.log; \ do :; done @@ -302,7 +303,7 @@ rm -f $(NAME)*.tar.gz $(NAME)*.tgz rm -f af_names.h rm -f cap_names.h - rm -rf techdoc.aux techdoc.log techdoc.pdf techdoc.toc techdor.txt techdoc/ + rm -rf techdoc.aux techdoc.out techdoc.log techdoc.pdf techdoc.toc techdoc.txt techdoc/ $(MAKE) -s -C $(AAREDIR) clean $(MAKE) -s -C po clean $(MAKE) -s -C tst clean === modified file 'parser/techdoc.tex' --- parser/techdoc.tex 2011-02-09 22:29:05 + +++ parser/techdoc.tex 2012-05-08 18:55:56 + @@ -5,6 +5,17 @@ \usepackage{url} %\usepackage{times} +\usepackage[pdftex, + pdfauthor={Andreas Gruenbacher and Seth Arnold}, + pdftitle={AppArmor Technical Documentation},% +\ifx\fixedpdfdate\@empty\else + pdfcreationdate={\fixedpdfdate}, + pdfmoddate={\fixedpdfdate}, +\fi + pdfsubject={AppArmor}, + pdfkeywords={AppArmor} +]{hyperref} + \hyphenation{App-Armor} \hyphenation{name-space} @@ -14,7 +25,8 @@ \author{Andreas Gruenbacher and Seth Arnold \\ \url{{agruen,seth.arnold}@suse.de} \\ SUSE Labs / Novell} -%\date{} +% don't include the (build!) date +\date{} \begin{document} -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch] techdoc.pdf improvements
Hi Christian, On Tue, May 08, 2012 at 09:59:11PM +0200, Christian Boltz wrote: - make table of contents, footnotes etc. clickable hyperlinks Nice! - use timestamp of techdoc.tex (instead of build time) as creationdate in the PDF metadata - don't include build date on first page of the PDF Oh good -- this had been bothering me. - make clean: - delete techdoc.out (created by pdftex) - fix deletion of techdoc.txt (was techdo_r_.txt) Hah, whoops. The initial target was to get reproduceable PDF builds (therefore the timestamp-related changes), the other things came up during discussing this patch with David Haller. The only remaining difference in the PDF from build to build is the /ID line. This line can't be controlled in pdflatex and is now filtered out by build-compare in the openSUSE build service (bnc#760867). Credits go to David Haller for writing large parts of this patch (but he didn't notice the techdo_r_.txt ;-) Looks like our pdflatex outputs differ. On Debian/Ubuntu, there's no techdoc.txt generated: -rw-rw-r-- 1 kees kees 3542 May 8 14:41 techdoc.aux -rw-rw-r-- 1 kees kees 2200 May 8 14:41 techdoc.toc -rw-rw-r-- 1 kees kees 246153 May 8 14:41 techdoc.pdf -rw-rw-r-- 1 kees kees 14265 May 8 14:41 techdoc.log Signed-Off-By: Christian Boltz appar...@cboltz.de Acked-by: Kees Cook k...@ubuntu.com -- Kees Cook -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch] techdoc.pdf improvements
Hello, Am Dienstag, 8. Mai 2012 schrieb Kees Cook: On Tue, May 08, 2012 at 09:59:11PM +0200, Christian Boltz wrote: - don't include build date on first page of the PDF Oh good -- this had been bothering me. I was thinking about inserting the correct date, but that would have looked too bad. bzr log tells me something about April 2007, but at this time the file was moved to the apparmor-parser package. The last real edit might be even older... It would be nice to have techdoc.tex updated, but that's another story ;-) - make clean: - delete techdoc.out (created by pdftex) - fix deletion of techdoc.txt (was techdo_r_.txt) Hah, whoops. Indeed. (but he didn't notice the techdo_r_.txt ;-) Looks like our pdflatex outputs differ. On Debian/Ubuntu, there's no techdoc.txt generated: It's not included in the default target. You have to explicitely run make techdoc.txt This will also generate the PDF and HTML version because it depends on them. Your response also leads to another question: should we change the Makefile so that techdoc.* is build when just calling make? Basically this would mean for parser/Makefile: (pseudo-patch) -all: +all: techdoc.txt Otherwise we have to change README because it says For more information, you can read the techdoc.pdf (available after building the parser) and by visiting the http://apparmor.net/ web site. ;-) Regards, Christian Boltz -- Man möge mich korrigieren. Du hast es nicht anders gewollt ;-) J, gibs mir! ;-) [ Christian Boltz und Johannes Kastl in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch] techdoc.pdf improvements
On 05/08/2012 03:56 PM, Christian Boltz wrote: Hello, Am Dienstag, 8. Mai 2012 schrieb Kees Cook: On Tue, May 08, 2012 at 09:59:11PM +0200, Christian Boltz wrote: - don't include build date on first page of the PDF Oh good -- this had been bothering me. I was thinking about inserting the correct date, but that would have looked too bad. bzr log tells me something about April 2007, but at this time the file was moved to the apparmor-parser package. The last real edit might be even older... It would be nice to have techdoc.tex updated, but that's another story ;-) Well I don't know about a .tex but I have been working on several white papers and expect that we will make effort to update the techdoc off of it. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor