Comment # 6 on bug 1065388 from Christian Boltz

Thanks for the log!

To get your major issue solved, please add
    capability dac_read_search,
    capability dac_override,
to the profile and reload it with
    rcapparmor reload.

This is needed to allow root to read files and enter directories owned by a
user with for example -rwx------ permissions. With AppArmor confinement, root
needs these two capabilities to override the missing read permissions. (See
capabilities(7) for more details.)


There are some more denials in your log (looks like groff executes several
helper binaries) which I'll check later.


(In reply to Dr. Werner Fink from comment #0)
> in /etc/apparmor.d/usr.bin.lessopen.sh I found
> 
>     /usr/bin/file rix,
> 
> but no rule for /usr/bin/file its self!

The "ix" in the rule means "inherit", so /usr/bin/file will run under the same
profile as lessopen.sh.


(In reply to Dr. Werner Fink from comment #5)
> type=AVC msg=audit(1509089056.461:3242): apparmor="DENIED"
> operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=11880 comm="file"
> lport=911 family="inet" sock_type="dgram" protocol=17
> 
> ... Hmmm ... what does this mean?

Let me guess - you tried to view a file on a NFS share?
Ideally this should be hidden in the kernel so that the application doesn't see
the network access (because that's on the filesystem level). I know there's an
open bugreport about this - I'll check with upstream if/when we can expect a
kernel patch.