[Bug 643387] New: Not operating profiles from templates
https://bugzilla.novell.com/show_bug.cgi?id=643387 https://bugzilla.novell.com/show_bug.cgi?id=643387#c0 Summary: Not operating profiles from templates Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: avm-xandry@yandex.ru QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.9.2.10) Gecko/20100914 SUSE/3.6.10-0.3.1 Firefox/3.6.10 1. Firefox not launched after the beginning of usage of a default profile. 2. man can't correctly work after the beginning of usage of a default profile. Mode for this profiles has no value. Reproducible: Always Steps to Reproduce: For firefox: 1. sudo cp /etc/apparmor/profiles/extras/*firefox* /etc/apparmor.d/ 2. sudo /etc/init.d/boot.apparmor reload 3. firefox For man: 1. sudo cp /etc/apparmor/profiles/extras/usr.bin.man /etc/apparmor.d/ 2. sudo /etc/init.d/boot.apparmor reload 3. man complain Actual Results: For firefox: After command "sudo /etc/init.d/boot.apparmor reload" i see message: Reloading AppArmor profiles Found reference to variable proc, but is never declared Profile /etc/apparmor.d/usr.lib.firefox.firefox failed to load failed And at attempt to launch firefox: /usr/bin/firefox: line 127: /usr/lib/firefox/firefox: Нет такого файла или каталога Note: at english: no such file or directory For man: After run man complain: /usr/bin/nroff: Can't create temp directory, exiting... Expected Results: Firefox and man should work as before (Before install and start apparmor with templates). MozillaFirefox-3.6.10-0.3.1.i586
rpm -qf /etc/apparmor/profiles/extras/*firefox* apparmor-profiles-2.3-56.1.noarch rpm -qf /etc/apparmor/profiles/extras/*man* apparmor-profiles-2.3-56.1.noarch
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c1
--- Comment #1 from Alexandr Mityunin
sudo netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State /proc/net/tcp: Permission denied
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c2
--- Comment #2 from Alexandr Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c3
--- Comment #3 from Alexandr Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c4
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c5
--- Comment #5 from Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c6
--- Comment #6 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c7
--- Comment #7 from Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c8
--- Comment #8 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c9
--- Comment #9 from Alexander Mityunin
Does it have this in the changelog? Hmm... Nope. And should it be?
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c10
--- Comment #10 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c11
--- Comment #11 from Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c12
--- Comment #12 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c13
Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c14
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c
Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c15
Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c16
--- Comment #16 from Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c17
Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c
Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c18
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c19
--- Comment #19 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c20
--- Comment #20 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c21
--- Comment #21 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c22
--- Comment #22 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c23
--- Comment #23 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c24
--- Comment #24 from Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c25
--- Comment #25 from Christian Boltz
I'm actually in the process of updating the security:apparmor:factory apparmor package to 2.6.1 anyway. What would be useful is to cherry pick any profile changes beyond 2.6.1 (in the 2.7/master branch) and pull those into our package.
It might be easier to replace the complete profiles folder with the 2.7 profiles ;-) (or, if you want a patch, diff -r the 2.6.1 and 2.7 profiles)
If you wouldn't mind pushing the leftover patches we're still carrying upstream, I'd be happy to answer any followup questions.
I can try, but I can't guarantee any timeframe.
I'm currently doing the jobs of about 3 people, so I haven't had the time. :)
Sounds interesting[tm], but not really unknown to me. Everything related to Linux is more or less a hobby for me, and with working on openSUSE and developing PostfixAdmin I can't say I'm bored ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c26
--- Comment #26 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c27
--- Comment #27 from Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c28
--- Comment #28 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c29
--- Comment #29 from Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c30
--- Comment #30 from Alexander Mityunin
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c31
--- Comment #31 from Christian Boltz
Chritian, how can i apply your patch to usr.bin.opera? 'Patch' tell me "patch: **** Only garbage was found in the patch input."
I assume you are talking about attachment 443787 ("changes in usr.bin.opera")? The file is not a real patch, it is more a list of differences in a patch-like format. It's not surprising that patch complains about it ;-) If you really want, you can add the lines starting with + to your profile (without the + sign). You can also remove all lines starting with -. However doing that doesn't make too much sense IMHO because there are several questionable changes, for example read access to /etc/apparmor.d/**. The better way would be to put your opera profile in complain mode with aa-complain, use opera for some hours (or even days) and to update the profile based on the audit.log using aa-logprof. When you think the profile has everything it needs, upload the updated profile to this bugreport ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c32
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=643387
https://bugzilla.novell.com/show_bug.cgi?id=643387#c33
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com