[apparmor] [Bug 888077] Re: alias rules being only partially applied

Mon, 16 Apr 2012 13:11:15 -0700 

** Changed in: apparmor
   Importance: Undecided => Critical

** Changed in: apparmor
     Assignee: (unassigned) => John Johansen (jjohansen)

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/888077

Title:
  alias rules being only partially applied

Status in AppArmor Linux application security framework:
  New

Bug description:
  As reported by Christian Boltz

  alias rules broken for /{,var/}run/

  Hello,

  lots of profiles contain rules for /{,var/}run/ nowadays.

  Unfortunately that breaks if /var is a symlink (to /home/sys-var in my 
  case) even if a correct alias rule is setup.

  I'll paste the details from #apparmor:

  [22:00] <cboltz> I get unexpected DENIED events in combination with aliases:
  [22:00] <cboltz> apparmor="DENIED" operation="mkdir" parent=1 
profile="/usr/sbin/avahi-daemon" name="/home/sys-var/run/avahi-daemon/" 
pid=14842 comm="avahi-daemon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
  [22:00] <cboltz> but I have in tunables/alias
  [22:01] <cboltz> alias /var/ -> /home/sys-var/,
  [22:01] <cboltz> and the profile for avahi-daemon allows write access to 
/var/run/avahi-daemon/ (original profile as in bzr)
  [22:01] <cboltz> is this a known or a new bug? 
  [22:52] <sbeattie> cboltz: sorry, jjohansen and I are at the Ubuntu Developer 
Summit this week, so we're bouncing on and off irc.
  [22:53] <sbeattie> cboltz: not a known bug to me
  [22:54] <cboltz> then it must be a new one 
  [22:56] <cboltz> I just found what causes it 
  [22:57] <sbeattie> cboltz: oh?
  [22:57] <cboltz>  /{,var/}run/avahi-daemon/ w,   fails the alias replacement
  [22:57] <cboltz>  /var/run/avahi-daemon/ w,   works
  [23:00] <sbeattie> doh
  [23:01] <sbeattie> that's a result of aliases being more like a 
pre-processing step than a real semantic change.
  [23:02] <cboltz> looks like it should be a real semantic change *g*
  [23:03] <sbeattie> Feel free to raise the issue on the list or file a bug, 
though I'm not sure that it'd be an easy thing to address.
  [23:03] <cboltz> I'll send a mail
  [23:04] <sbeattie> cool, thanks!
  [23:04] <cboltz> just tell John that I found a bug again, and then enjoy the 
developer summit 
  [23:04] <sbeattie> hehe
  [23:06] * sbeattie vanishes again

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/888077/+subscriptions

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to