Bug ID 1219571
Summary profiles: openssl 1.1 requires /etc/ssl/engines3.d/ path access
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component AppArmor
Assignee ddiss@suse.com
Reporter ddiss@suse.com
QA Contact qa-bugs@suse.de
CC mrueckert@suse.com, suse-beta@cboltz.de
Target Milestone ---
Found By ---
Blocker --- 

darix reported the following AVCs following when running nginx alongside
openssl 1.1 :

type=AVC msg=audit(X): apparmor="DENIED" operation="open" class="file"
profile="nginx" name="/etc/ssl/engines3.d/" pid=Y comm="nginx"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

type=AVC msg=audit(X+1): apparmor="DENIED" operation="open" class="file"
profile="nginx" name="/etc/ssl/engdef3.d/" pid=Y comm="nginx"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Presumably we need something like:

--- a/profiles/apparmor.d/abstractions/openssl
+++ b/profiles/apparmor.d/abstractions/openssl
@@ -12,8 +12,8 @@

   /etc/ssl/openssl.cnf r,
   /etc/ssl/openssl-*.cnf r,
-  /etc/ssl/{engdef,engines}.d/ r,
-  /etc/ssl/{engdef,engines}.d/*.cnf r,
+  /etc/ssl/{engdef,engines,engines3}.d/ r,
+  /etc/ssl/{engdef,engines,engines3}.d/*.cnf r,
   /usr/share/ssl/openssl.cnf r,

   # Include additions to the abstraction


...but it'd be good to first know what other paths may be affected before
submitting upstream.

You are receiving this mail because: