Hello, Am Dienstag, 20. September 2016, 09:57:45 CEST schrieb Per Jessen:
Christian, something for you - when the profiles were in "enforce", I see these in the log -
/usr/bin/mlmmj-bounce[18839]: subscriberfuncs.c:122: Could not opendir(/var/spool/mlmmj/opensuse//subscribers.d/): Permission denied
/usr/bin/mlmmj-sub[5174]: subscriberfuncs.c:122: Could not opendir(/var/spool/mlmmj/opensuse//subscribers.d/): Permission denied
/usr/bin/mlmmj-unsub[3419]: subscriberfuncs.c:122: Could not opendir(/var/spool/mlmmj/opensuse-security-announce//subscribers.d/): Permission denied
Looking at the profile for mlmmj-bounce:
/usr/bin/mlmmj-bounce { #include
/usr/bin/mlmmj-bounce r, /usr/bin/mlmmj-send Px, /var/spool/mlmmj/*/subscribers.d rwl, #
This profile looks _really_ old. Rules to allow directory listings (basically allowing "ls") need to have a trailing slash, so the rule should be /var/spool/mlmmj/*/subscribers.d/ rwl, You'll also need to add the trailing slash in all other directory rules. Rules without trailing slash are for files (also sockets, device nodes etc. - everything except directories). Looooong time ago, AppArmor did not have the trailing slash requirement. I'm not sure when exactly this changed. With a quick "bzr blame", I found out that it was added to the manpage in April 2007 - so the implementation of "trailing slash for directories" in the code can probably celebrate its 10th birthday already ;-) I also wonder if "l" (hardlink) permissions make sense for a directory. IIRC I only needed them for some files (never for directories) - but they don't really hurt.
/var/spool/mlmmj/*/subscribers.d/* rwl, /var/spool/mlmmj/*/subconf rwl, #
..../subconf/ rwl,
/var/spool/mlmmj/*/subconf/* rwl, /var/spool/mlmmj/*/queue rwl, #
.../queue/ rwl,
/var/spool/mlmmj/*/queue/* rwl, /var/spool/mlmmj/*/bounce/ rwl,
That rule was probably added later - it has a trailing slash. Also, I'm slightly surprised that there isn't a rule for the files inside the bounce directory.
}
The trailing '#'s look a bit odd, but I guess they're okay.
# simply indicates the start of a comment. Actually an empty comment ;-)
Except if they were meant to be at the beginning of the next line?
You'll need to ask someone who knows mlmmj to find out which part of mlmmj needs to read and write which files (or you (ab)use AppArmor to find it out, but there's nothing that looks obviously wrong or too generous.
/usr/bin/mlmmj-sub { #include
capability setuid, /usr/bin/mlmmj-send Px, /usr/bin/mlmmj-sub r, /var/spool/mlmmj/*/control r, # /var/spool/mlmmj/*/control/* r, /var/spool/mlmmj/*/queue w, # /var/spool/mlmmj/*/queue/* w, /var/spool/mlmmj/*/subconf w, # /var/spool/mlmmj/*/subconf/* w, /var/spool/mlmmj/*/subscribers.d rw, /var/spool/mlmmj/*/subscribers.d/* rw, /var/spool/mlmmj/*/subscribers.d/.d.lock lw, /var/spool/mlmmj/*/text r, # /var/spool/mlmmj/*/text/* r, } Why does mlmmj-unsub have a problem with /var/spool/mlmmj/opensuse-security-announce//subscribers.d/ ?
You should be able to answer this yourself after reading what I wrote above ;-)
This doesn't look right though:
/usr/bin/mlmmj-unsub { #include
/usr/bin/mlmmj-unsub r, /usr/bin/mlmmj-send Px, /var/spool/mlmmj/*/control r, # /var/spool/mlmmj/*/control/* r, /var/spool/mlmmj/*/text r, # /var/spool/mlmmj/*/text/* r, /var/spool/mlmmj/*/subscribers.d r, /var/spool/mlmmj/*/subscribers.d/* r, /var/spool/mlmmj/*/queue rwl, # /var/spool/mlmmj/*/queue/* rwl, /var/spool/mlmmj/*/unsubconf rwl, # /var/spool/mlmmj/*/unsubconf/* rwl, /var/spool/mlmmj/*/subscribers.d rwl, # /var/spool/mlmmj/*/subscribers.d/* rwl, } Double entries for /var/spool/mlmmj/*/subscribers.d ?
They get merged, so
/var/spool/mlmmj/*/subscribers.d r, /var/spool/mlmmj/*/subscribers.d/* r, /var/spool/mlmmj/*/subscribers.d rwl, # /var/spool/mlmmj/*/subscribers.d/* rwl,
is effectively /var/spool/mlmmj/*/subscribers.d rwl, # /var/spool/mlmmj/*/subscribers.d/* rwl, Again, you'll need to add trailing slashes for the directory rules. After editing the profiles, please run rcapparmor reload to reload them. (Do NOT use "restart" because this does bad things and kills a cat when used with systemd.) If you still see ALLOWED or DENIED events in audit.log, please paste those lines into a mail ;-) Regards, Christian Boltz -- Diese Signatur ist vorübergehend nicht erreichbar. Versuchen Sie es später noch einmal oder hinterlassen Sie eine Nachricht vor dem Signaturtrenner. Piep. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org