Bug#821881: apparmor-profiles: sshd unable to read blacklists from openssh-blacklist* packages
Control: tag -1 + fixed-upstream Vincas Dargis wrote (07 Jun 2016 15:23:45 GMT) : > I've posted to their mailing list, looks like it's fixed, at least in repo > (or maybe it's already released at this point): > https://lists.ubuntu.com/archives/apparmor/2016-April/009639.html Great job, thank you! Indeed, it's not part of any upstream release yet, but it should go into 2.11 final. Cheers, -- intrigeri
Bug#821881: apparmor-profiles: sshd unable to read blacklists from openssh-blacklist* packages
2016.04.24 17:30, intrigeri rašė: This sounds right. I'm afraid we lack resources, on the Debian side, to support profiles shipped in the extra/ directory, so please take it directly upstream (appar...@lists.ubuntu.com). I've posted to their mailing list, looks like it's fixed, at least in repo (or maybe it's already released at this point): https://lists.ubuntu.com/archives/apparmor/2016-April/009639.html
Bug#821881: apparmor-profiles: sshd unable to read blacklists from openssh-blacklist* packages
Hi, Vincas Dargis wrote (20 Apr 2016 07:18:17 GMT) : > Looks like it would be usefull to add rule to allow reading > /usr/share/ssh/blacklist* files: This sounds right. I'm afraid we lack resources, on the Debian side, to support profiles shipped in the extra/ directory, so please take it directly upstream (appar...@lists.ubuntu.com). Cheers, -- intrigeri
Bug#821881: apparmor-profiles: sshd unable to read blacklists from openssh-blacklist* packages
Package: apparmor-profiles Version: 2.7.103-4 Severity: normal Tags: upstream Dear Maintainer, In Wheezy I've enabled complain mode for usr.sbin.ssh (from apparmor-profiles extras directory) and noticed these lines: Apr 20 08:52:43 vdebian2 kernel: [30870.004961] audit: type=1400 audit(1461131563.110:76): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.RSA-2048" pid=27843 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Apr 20 08:52:43 vdebian2 kernel: [30870.005132] audit: type=1400 audit(1461131563.110:77): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.DSA-1024" pid=27843 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Looks like it would be usefull to add rule to allow reading /usr/share/ssh/blacklist* files: $ apt-file search ssh/blacklist openssh-blacklist: /usr/share/ssh/blacklist.DSA-1024 openssh-blacklist: /usr/share/ssh/blacklist.RSA-2048 openssh-blacklist-extra: /usr/share/ssh/blacklist.DSA-2048 openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-1024 openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-4096 I do not see this rule HEAD: https://alioth.debian.org/scm/loggerhead/collab- maint/apparmor/view/head:/profiles/apparmor/profiles/extras/usr.sbin.sshd so I assume it's still relevant for latest releases. -- System Information: Debian Release: 7.10 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apparmor-profiles depends on: ii apparmor 2.7.103-4 apparmor-profiles recommends no packages. apparmor-profiles suggests no packages. -- no debconf information
