Bug#704680: tlsdate: AppArmor profile does not support multiarch library locations = tlsdated does not start
intrig...@debian.org: Package: tlsdate Version: 0.0.5-2 Severity: important Hi, I'm starting tlsdate with sudo service tlsdate start on a Wheezy amd64 system with AppArmor enabled, and: 1. tlsdated does not start, hence the normal severity. 2. my syslog reads: kernel: [21040.419293] type=1400 audit(1365081871.989:61): apparmor=DENIED operation=open parent=1 profile=/usr/bin/tlsdated name=/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 pid=6341 comm=tlsdated requested_mask=r denied_mask=r fsuid=0 ouid=0 It does not look entirely scandalous that tlsdated wants to load libcrypto from this location, given: $ ldd /usr/bin/tlsdated | grep libcrypto libcrypto.so.1.0.0 = /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x7f743b798000) I've updated the AppArmor profile to include /usr/lib/x86_64-linux-gnu/ in git commit 7976210871063f98d001221a7eac6901dfd47f81. This will go into the next tlsdate release. Having a look at /etc/apparmor.d/usr.bin.tlsdate, it's obvious why. Most profiles in there have lines such as: # Allow mapping of shared libraries /lib/* rm, /lib32/* rm, /lib64/* rm, /usr/lib/* rm, /lib/x86_64-linux-gnu/* rm, (with variations on this theme, some have /usr/local/lib/* too, some haven't, but I digress :) I've added this to each stanza: /usr/lib/x86_64-linux-gnu/* rm, Unfortunately, this does not support multiarch library directories. I suggest using the @{multiarch} profile variable, as most other profiles I have installed do, instead of trying to do it by hand. See e.g. /etc/apparmor.d/abstractions/base for nice examples of how one may easily support all architectures that Debian supports :) I'd be interested in researching this a bit later - how does this fail? I suspect that /usr/bin/tlsdate-helper will need access to /usr/lib/@{multiarch}/* too, for the same reason. (To end with, and digressing again, it looks like the few profiles that are in usr.bin.tlsdate could benefit from some factorization into abstractions/, possibly even using existing abstractions if they're not to wide for your taste. Shall I file a wishlist bug about it?) Ideally, I'd prefer a patch. :) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704680: tlsdate: AppArmor profile does not support multiarch library locations = tlsdated does not start
Jacob Appelbaum wrote (31 Oct 2013 10:43:56 GMT) : I've added this to each stanza: /usr/lib/x86_64-linux-gnu/* rm, Unfortunately, this does not support multiarch library directories. I suggest using the @{multiarch} profile variable, as most other profiles I have installed do, instead of trying to do it by hand. See e.g. /etc/apparmor.d/abstractions/base for nice examples of how one may easily support all architectures that Debian supports :) I'd be interested in researching this a bit later - how does this fail? This will fail on any architecture other than i386 amd64, basically. See where libcrypto is installed on these architectures. I don't think this bug was entirely fixed (still no multiarch support as far as I can see, despite the added support for amd64), so it should probably be reopened. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704680: tlsdate: AppArmor profile does not support multiarch library locations = tlsdated does not start
Package: tlsdate Version: 0.0.5-2 Severity: important Hi, I'm starting tlsdate with sudo service tlsdate start on a Wheezy amd64 system with AppArmor enabled, and: 1. tlsdated does not start, hence the normal severity. 2. my syslog reads: kernel: [21040.419293] type=1400 audit(1365081871.989:61): apparmor=DENIED operation=open parent=1 profile=/usr/bin/tlsdated name=/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 pid=6341 comm=tlsdated requested_mask=r denied_mask=r fsuid=0 ouid=0 It does not look entirely scandalous that tlsdated wants to load libcrypto from this location, given: $ ldd /usr/bin/tlsdated | grep libcrypto libcrypto.so.1.0.0 = /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x7f743b798000) Having a look at /etc/apparmor.d/usr.bin.tlsdate, it's obvious why. Most profiles in there have lines such as: # Allow mapping of shared libraries /lib/* rm, /lib32/* rm, /lib64/* rm, /usr/lib/* rm, /lib/x86_64-linux-gnu/* rm, (with variations on this theme, some have /usr/local/lib/* too, some haven't, but I digress :) Unfortunately, this does not support multiarch library directories. I suggest using the @{multiarch} profile variable, as most other profiles I have installed do, instead of trying to do it by hand. See e.g. /etc/apparmor.d/abstractions/base for nice examples of how one may easily support all architectures that Debian supports :) I suspect that /usr/bin/tlsdate-helper will need access to /usr/lib/@{multiarch}/* too, for the same reason. (To end with, and digressing again, it looks like the few profiles that are in usr.bin.tlsdate could benefit from some factorization into abstractions/, possibly even using existing abstractions if they're not to wide for your taste. Shall I file a wishlist bug about it?) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org