http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c2 Per Jessen <per@computer.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |per@computer.org Flags| |needinfo?(per@computer.org) --- Comment #2 from Per Jessen <per@computer.org> --- (In reply to Christian Boltz from comment #1)

Just for the records: having AppArmor 2.8.x on SLE is not my fault ;-) - it was the decision of the SLE maintainers not to upgrade to 2.9 (which I proposed for SLE12, it would have solved quite some problems.) Also, I'm not the AppArmor maintainer for SLE (but help when needed).

I was unable to open a report for SLE, only for openSUSE. Thanks for helping with this.

Also, I'm surprised that the profiles were replaced - AFAIK the files in /etc/apparmor.d/ are packaged as "noreplace".

Maybe that was a poor guess. I have a copy of apparmor+apparmod.d from before I changed things: In apparmor/profiles/extras, mlmmj-* are all dated Aug 17 2015. The symlinks were not changed, afaict. So, what else might have changed to cause this issue, coinciding with the update on 2/9 ?

That said:

Can you please check (rpm -qf) if / which package contains the mlmmj profiles? (The AppArmor package ships them in the "extras" directory [1] as inactive profiles, which means they are _not_ shipped in /etc/apparmor.d/.)

[1] that's probably /etc/apparmor/profiles/extras/ on SLE, and /usr/share/apparmor/extra-profiles/ since AppArmor 2.9.

Correct, they're in /etc/apparmor/profiles/extras/ and symlinked from /etc/apparmor.d/

Also, some questions about your changes:

+/usr/bin/mlmmj-bounce {

- /var/spool/mlmmj/*/subscribers.d rwl, # - /var/spool/mlmmj/*/subscribers.d/* rwl, + /var/spool/mlmmj/*/subscribers.d/ r, + /var/spool/mlmmj/*/subscribers.d/* r,

I like reducing permissions, still - are you sure read-only is enough here?

No, I can't be sure. Yes, -sub and -unsub have rw access, I guess -bounce will need it too. I've got some more updates, I'll fix that.

BTW: the queue and subconf directories also need a trailing slash (or can be removed from the profile if you don't find complaints about this in the audit.log ;-)

I wanted to be careful and not change too much, I don't know mlmmj at all.

+/usr/bin/mlmmj-sub {

Another missing trailing slash for the "text" directory (or a superfluous rule ;-)

After adjusting those details, please attach the full mlmmj profiles as tarball. Your diff doesn't cleanly apply to the upstream profiles (not too surprising, probably they changed in the meantime), so having the full files makes things easier for me ;-)

Okay, will do. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c4 --- Comment #4 from Per Jessen <per@computer.org> --- Created attachment 694100 --> http://bugzilla.suse.com/attachment.cgi?id=694100&action=edit usr.bin.mlmmj-receive Changes: have removed read permission on incoming/*. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c6 --- Comment #6 from Per Jessen <per@computer.org> --- Created attachment 694103 --> http://bugzilla.suse.com/attachment.cgi?id=694103&action=edit usr.bin.mlmmj-sub Significant changes: have added trailing slashes on dirs, enabled file lock on {subscribers.d/digesters.d/nomailsubs.d}/* -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c8 --- Comment #8 from Per Jessen <per@computer.org> --- Created attachment 694113 --> http://bugzilla.suse.com/attachment.cgi?id=694113&action=edit usr.bin.mlmmj-send Changes: trailing slashes, file lock, digesters.d -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c10 Bernhard Wiedemann <bwiedemann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bwiedemann@suse.com, | |rgoldwyn@suse.com --- Comment #10 from Bernhard Wiedemann <bwiedemann@suse.com> --- CCing SLE apparmor-profiles maintainer -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c13 Per Jessen <per@computer.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #694664|0 |1 is obsolete| | --- Comment #13 from Per Jessen <per@computer.org> --- Created attachment 694916 --> http://bugzilla.suse.com/attachment.cgi?id=694916&action=edit usr.bin.mlmmj-process One more minor update. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:3565:low -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c29 --- Comment #29 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (1000201) was mentioned in https://build.opensuse.org/request/show/449669 Factory / apparmor -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3565:low |ibs:running:3565:low | |obs:running:6223:moderate -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c31 --- Comment #31 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2017:0186-1: An update that has 5 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1000201,1009964,1014463,980596,990006 CVE References: Sources used: openSUSE 13.2 (src): apparmor-2.9.4-10.1 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3565:low |ibs:running:3565:low | |obs:running:6333:low | |obs:running:6331:low -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 http://bugzilla.suse.com/show_bug.cgi?id=1000201#c34 --- Comment #34 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2017:0443-1: An update that has 10 recommended fixes can now be installed. Category: recommended (low) Bug References: 1000201,1009964,1014463,1015249,1016259,1017260,980081,980596,987607,990006 CVE References: Sources used: openSUSE Leap 42.1 (src): apparmor-2.10.2-9.1 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3565:low |ibs:running:3565:moderate -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1000201 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3565:moderate | -- You are receiving this mail because: You are on the CC list for the bug.