[Bug 1000201] New: mlmmj apparmor profiles need fixing
http://bugzilla.suse.com/show_bug.cgi?id=1000201 Bug ID: 1000201 Summary: mlmmj apparmor profiles need fixing Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: per@computer.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 693398 --> http://bugzilla.suse.com/attachment.cgi?id=693398&action=edit apparmor profile changes Server: baloo (mailing list server), running SLE12 SP1 apparmor-profiles was updated to 2.8.2-45.1 on 2/9/2016, which screwed up mailing list operation, specifically subscribe and unsubscribe, but presumably other things too. I have updated the mlmmj profiles locally on baloo, see diff attached. I'm going to monitor the logs over the next few days to see if I've missed anything. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c2
Per Jessen
Just for the records: having AppArmor 2.8.x on SLE is not my fault ;-) - it was the decision of the SLE maintainers not to upgrade to 2.9 (which I proposed for SLE12, it would have solved quite some problems.) Also, I'm not the AppArmor maintainer for SLE (but help when needed).
I was unable to open a report for SLE, only for openSUSE. Thanks for helping with this.
Also, I'm surprised that the profiles were replaced - AFAIK the files in /etc/apparmor.d/ are packaged as "noreplace".
Maybe that was a poor guess. I have a copy of apparmor+apparmod.d from before I changed things: In apparmor/profiles/extras, mlmmj-* are all dated Aug 17 2015. The symlinks were not changed, afaict. So, what else might have changed to cause this issue, coinciding with the update on 2/9 ?
That said:
Can you please check (rpm -qf) if / which package contains the mlmmj profiles? (The AppArmor package ships them in the "extras" directory [1] as inactive profiles, which means they are _not_ shipped in /etc/apparmor.d/.)
[1] that's probably /etc/apparmor/profiles/extras/ on SLE, and /usr/share/apparmor/extra-profiles/ since AppArmor 2.9.
Correct, they're in /etc/apparmor/profiles/extras/ and symlinked from /etc/apparmor.d/
Also, some questions about your changes:
+/usr/bin/mlmmj-bounce {
- /var/spool/mlmmj/*/subscribers.d rwl, # - /var/spool/mlmmj/*/subscribers.d/* rwl, + /var/spool/mlmmj/*/subscribers.d/ r, + /var/spool/mlmmj/*/subscribers.d/* r,
I like reducing permissions, still - are you sure read-only is enough here?
No, I can't be sure. Yes, -sub and -unsub have rw access, I guess -bounce will need it too. I've got some more updates, I'll fix that.
BTW: the queue and subconf directories also need a trailing slash (or can be removed from the profile if you don't find complaints about this in the audit.log ;-)
I wanted to be careful and not change too much, I don't know mlmmj at all.
+/usr/bin/mlmmj-sub {
Another missing trailing slash for the "text" directory (or a superfluous rule ;-)
After adjusting those details, please attach the full mlmmj profiles as tarball. Your diff doesn't cleanly apply to the upstream profiles (not too surprising, probably they changed in the meantime), so having the full files makes things easier for me ;-)
Okay, will do. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c3
--- Comment #3 from Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c4
--- Comment #4 from Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c5
Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c6
--- Comment #6 from Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c7
--- Comment #7 from Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c8
--- Comment #8 from Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c9
--- Comment #9 from Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c10
Bernhard Wiedemann
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c11
--- Comment #11 from Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c13
Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c14
Per Jessen
http://bugzilla.suse.com/show_bug.cgi?id=1000201
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c28
--- Comment #28 from Bernhard Wiedemann
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c29
--- Comment #29 from Bernhard Wiedemann
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c30
--- Comment #30 from Bernhard Wiedemann
http://bugzilla.suse.com/show_bug.cgi?id=1000201
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c31
--- Comment #31 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c32
--- Comment #32 from Bernhard Wiedemann
http://bugzilla.suse.com/show_bug.cgi?id=1000201
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c34
--- Comment #34 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c35
--- Comment #35 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
http://bugzilla.suse.com/show_bug.cgi?id=1000201#c36
--- Comment #36 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1000201
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com