[Touch-packages] [Bug 1938938] [NEW] apparmor denials for gnutls configuration

Wed, 04 Aug 2021 10:55:41 -0700 

Public bug reported:

gnutls library can be configured using /etc/gnutls/config for example to
allow small keys and TLS versions below v1.2

however, if application is confined and has an apparmor profile and uses
gnutls it will ignore such file, if it is not allowed to read it.

For example:

[  382.586297] audit: type=1400 audit(1628068663.214:162):
apparmor="DENIED" operation="open" profile="msmtp"
name="/etc/gnutls/config" pid=18621 comm="sendmail" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0


[25379.358122] audit: type=1400 audit(1628093660.328:163): apparmor="DENIED" 
operation="open" profile="/usr/bin/evince" name="/etc/gnutls/config" pid=53262 
comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[25460.754092] audit: type=1400 audit(1628093741.726:164):
apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
name="/etc/gnutls/config" pid=53347 comm="dbus" requested_mask="r"
denied_mask="r" fsuid=7 ouid=0

How can we allow to read /etc/gnutls/config for all apps that use
gnutls?

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1938938

Title:
  apparmor denials for gnutls configuration

Status in apparmor package in Ubuntu:
  New

Bug description:
  gnutls library can be configured using /etc/gnutls/config for example
  to allow small keys and TLS versions below v1.2

  however, if application is confined and has an apparmor profile and
  uses gnutls it will ignore such file, if it is not allowed to read it.

  For example:

  [  382.586297] audit: type=1400 audit(1628068663.214:162):
  apparmor="DENIED" operation="open" profile="msmtp"
  name="/etc/gnutls/config" pid=18621 comm="sendmail" requested_mask="r"
  denied_mask="r" fsuid=0 ouid=0

  
  [25379.358122] audit: type=1400 audit(1628093660.328:163): apparmor="DENIED" 
operation="open" profile="/usr/bin/evince" name="/etc/gnutls/config" pid=53262 
comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

  [25460.754092] audit: type=1400 audit(1628093741.726:164):
  apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd"
  name="/etc/gnutls/config" pid=53347 comm="dbus" requested_mask="r"
  denied_mask="r" fsuid=7 ouid=0

  How can we allow to read /etc/gnutls/config for all apps that use
  gnutls?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1938938/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to