https://bugzilla.suse.com/show_bug.cgi?id=1219571 Bug ID: 1219571 Summary: profiles: openssl 1.1 requires /etc/ssl/engines3.d/ path access Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: ddiss@suse.com Reporter: ddiss@suse.com QA Contact: qa-bugs@suse.de CC: mrueckert@suse.com, suse-beta@cboltz.de Target Milestone: --- Found By: --- Blocker: --- darix reported the following AVCs following when running nginx alongside openssl 1.1 : type=AVC msg=audit(X): apparmor="DENIED" operation="open" class="file" profile="nginx" name="/etc/ssl/engines3.d/" pid=Y comm="nginx" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(X+1): apparmor="DENIED" operation="open" class="file" profile="nginx" name="/etc/ssl/engdef3.d/" pid=Y comm="nginx" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Presumably we need something like: --- a/profiles/apparmor.d/abstractions/openssl +++ b/profiles/apparmor.d/abstractions/openssl @@ -12,8 +12,8 @@ /etc/ssl/openssl.cnf r, /etc/ssl/openssl-*.cnf r, - /etc/ssl/{engdef,engines}.d/ r, - /etc/ssl/{engdef,engines}.d/*.cnf r, + /etc/ssl/{engdef,engines,engines3}.d/ r, + /etc/ssl/{engdef,engines,engines3}.d/*.cnf r, /usr/share/ssl/openssl.cnf r, # Include additions to the abstraction ...but it'd be good to first know what other paths may be affected before submitting upstream. -- You are receiving this mail because: You are on the CC list for the bug.