Re: [apparmor] Thunderbird profile / gpg2 / revocation certificate from wizard cannot be created
Hi! Oh sorry for the ping.. you answered quite some time ago and I missed that somehow :/ Let me try if it works and report back to you. Cheers! u. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Thunderbird profile / gpg2 / revocation certificate from wizard cannot be created
Hello!
any news on this issue?
Should I propose that patch via Git instead?
Cheers!
u:
> Hi!
>
> Simon Déziel:
>> On 2016-04-18 04:36 PM, Seth Arnold wrote:
>> The web view doesn't make it very easy to spot but those rules apply
>> only to the _subprofile_ gpg2.
>
> I've tested the profile at revision 169 in Debian and Tails using the
> Enigmail account wizard. This wizard, supposed to make it easier for
> users to create GPG keys, imposes the creation of a revocation
> certificate. This certificate is supposed to be saved to Thunderbird's
> profile in $HOME/.thunderbird/$profile but that fails and thus the key
> creation seems not to be finalized (actually the keys are create
> correctly but the user gets an error about the revocation cert not being
> able to be created):
>
> [16449.351352] audit: type=1400 audit(1467057664.224:36):
> apparmor="DENIED" operation="mknod" profile="icedove//gpg2"
> name="/home/amnesia/.icedove/profile.default/0xA546D1BB6B894CA3_rev.asc"
> pid=6028 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
>
> (In my test profile, all "thunderbird"s are called "icedove", so that's
> not the problem here.)
>
> A solution which seems to work is to add a line to the subprofile for gpg2:
>
> # for enigmail's wizard revocation certificate creation
> owner @{HOME}/.thunderbird/*.default/*_rev.asc rw,
>
> Could you verify this is correct and add that line please?
> (I'll propose patches once this is switched to Git, if I may :))
>
> Thanks for working on this profile!
>
> Cheers,
> u.
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Thunderbird profile / gpg2 / revocation certificate from wizard cannot be created
Hi u,
On 2016-06-27 04:57 PM, u wrote:
> Hi!
>
> Simon Déziel:
>> On 2016-04-18 04:36 PM, Seth Arnold wrote:
>> The web view doesn't make it very easy to spot but those rules apply
>> only to the _subprofile_ gpg2.
>
> I've tested the profile at revision 169 in Debian and Tails using the
> Enigmail account wizard. This wizard, supposed to make it easier for
> users to create GPG keys, imposes the creation of a revocation
> certificate. This certificate is supposed to be saved to Thunderbird's
> profile in $HOME/.thunderbird/$profile but that fails and thus the key
> creation seems not to be finalized (actually the keys are create
> correctly but the user gets an error about the revocation cert not being
> able to be created):
>
> [16449.351352] audit: type=1400 audit(1467057664.224:36):
> apparmor="DENIED" operation="mknod" profile="icedove//gpg2"
> name="/home/amnesia/.icedove/profile.default/0xA546D1BB6B894CA3_rev.asc"
> pid=6028 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
I'm surprised it's not using ~/.gnupg/. Maybe it's saving a copy in the
corresponding Thunderbird profile dir.
> (In my test profile, all "thunderbird"s are called "icedove", so that's
> not the problem here.)
>
> A solution which seems to work is to add a line to the subprofile for gpg2:
>
> # for enigmail's wizard revocation certificate creation
> owner @{HOME}/.thunderbird/*.default/*_rev.asc rw,
You can have more than 1 profile so I'd propose that:
owner @{HOME}/.thunderbird/*/0x*_rev.asc rw,
Untested as I'm too impatient to wait for the key pair generation to
complete :)
Regards,
Simon
signature.asc
Description: OpenPGP digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] Thunderbird profile / gpg2 / revocation certificate from wizard cannot be created
Hi!
Simon Déziel:
> On 2016-04-18 04:36 PM, Seth Arnold wrote:
> The web view doesn't make it very easy to spot but those rules apply
> only to the _subprofile_ gpg2.
I've tested the profile at revision 169 in Debian and Tails using the
Enigmail account wizard. This wizard, supposed to make it easier for
users to create GPG keys, imposes the creation of a revocation
certificate. This certificate is supposed to be saved to Thunderbird's
profile in $HOME/.thunderbird/$profile but that fails and thus the key
creation seems not to be finalized (actually the keys are create
correctly but the user gets an error about the revocation cert not being
able to be created):
[16449.351352] audit: type=1400 audit(1467057664.224:36):
apparmor="DENIED" operation="mknod" profile="icedove//gpg2"
name="/home/amnesia/.icedove/profile.default/0xA546D1BB6B894CA3_rev.asc"
pid=6028 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
(In my test profile, all "thunderbird"s are called "icedove", so that's
not the problem here.)
A solution which seems to work is to add a line to the subprofile for gpg2:
# for enigmail's wizard revocation certificate creation
owner @{HOME}/.thunderbird/*.default/*_rev.asc rw,
Could you verify this is correct and add that line please?
(I'll propose patches once this is switched to Git, if I may :))
Thanks for working on this profile!
Cheers,
u.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
