Bug#821881: marked as done (apparmor-profiles: sshd unable to read blacklists from openssh-blacklist* packages)

[Debian Bug Tracking System]

Your message dated Sat, 17 Dec 2016 15:18:48 +0000
with message-id <e1cigl6-000btl...@fasolo.debian.org>
and subject line Bug#821881: fixed in apparmor 2.10.95-8
has caused the Debian Bug report #821881,
regarding apparmor-profiles: sshd unable to read blacklists from 
openssh-blacklist* packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
821881: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821881
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: apparmor-profiles
Version: 2.7.103-4
Severity: normal
Tags: upstream

Dear Maintainer,

In Wheezy I've enabled complain mode for usr.sbin.ssh (from apparmor-profiles
extras directory) and noticed these lines:

Apr 20 08:52:43 vdebian2 kernel: [30870.004961] audit: type=1400
audit(1461131563.110:76): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.RSA-2048" pid=27843
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Apr 20 08:52:43 vdebian2 kernel: [30870.005132] audit: type=1400
audit(1461131563.110:77): apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.DSA-1024" pid=27843
comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Looks like it would be usefull to add rule to allow reading
/usr/share/ssh/blacklist* files:

$ apt-file search ssh/blacklist
openssh-blacklist: /usr/share/ssh/blacklist.DSA-1024
openssh-blacklist: /usr/share/ssh/blacklist.RSA-2048
openssh-blacklist-extra: /usr/share/ssh/blacklist.DSA-2048
openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-1024
openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-4096

I do not see this rule HEAD: https://alioth.debian.org/scm/loggerhead/collab-
maint/apparmor/view/head:/profiles/apparmor/profiles/extras/usr.sbin.sshd so I
assume it's still relevant for latest releases.



-- System Information:
Debian Release: 7.10
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apparmor-profiles depends on:
ii  apparmor  2.7.103-4

apparmor-profiles recommends no packages.

apparmor-profiles suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: apparmor
Source-Version: 2.10.95-8

We believe that the bug you reported is fixed in the latest version of
apparmor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 821...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
intrigeri <intrig...@debian.org> (supplier of updated apparmor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Dec 2016 11:25:27 +0000
Source: apparmor
Binary: apparmor apparmor-utils apparmor-profiles apparmor-docs libapparmor-dev 
libapparmor1 libapparmor-perl libapache2-mod-apparmor libpam-apparmor 
apparmor-notify python-libapparmor python3-libapparmor python-apparmor 
python3-apparmor dh-apparmor apparmor-easyprof
Architecture: source
Version: 2.10.95-8
Distribution: unstable
Urgency: medium
Maintainer: Debian AppArmor Team <pkg-apparmor-t...@lists.alioth.debian.org>
Changed-By: intrigeri <intrig...@debian.org>
Closes: 742829 821881
Description: 
 apparmor-docs - documentation for AppArmor
 apparmor-easyprof - AppArmor easyprof profiling tool
 apparmor-notify - AppArmor notification system
 apparmor-profiles - profiles for AppArmor Security policies
 apparmor   - user-space parser utility for AppArmor
 apparmor-utils - utilities for controlling AppArmor
 dh-apparmor - AppArmor debhelper routines
 libapache2-mod-apparmor - changehat AppArmor library as an Apache module
 libapparmor1 - changehat AppArmor library
 libapparmor-dev - AppArmor development libraries and header files
 libapparmor-perl - AppArmor library Perl bindings
 libpam-apparmor - changehat AppArmor library as a PAM module
 python3-apparmor - AppArmor Python3 utility library
 python3-libapparmor - AppArmor library Python3 bindings
 python-apparmor - AppArmor Python utility library
 python-libapparmor - AppArmor library Python bindings
Changes:
 apparmor (2.10.95-8) unstable; urgency=medium
 .
   * Stop applying add-chromium-browser.patch: it's been broken for years
     on Debian, and nobody ever bothered to upstream this profile in a way
     that makes it work cross-distro (Closes: #742829).
   * r3441-sshd-blacklist.patch: new patch, cherry-picked from upstream
     (Closes: #821881).
   * r3497-add-ld.so.preload-to-abstractions-base.patch: new patch,
     cherry-picked from upstream.
   * r3600-usrmerge.patch: new patch, cherry-picked from upstream
     (resolves the parts of #843461 that can be handled in this package).
Checksums-Sha1: 
 beece68558f314982006200590280e8bd918d607 3208 apparmor_2.10.95-8.dsc
 25bdfcf13b8240e5bae6b988fc3f7daaceeb3164 107100 
apparmor_2.10.95-8.debian.tar.xz
Checksums-Sha256: 
 4e8bd686c18c3b58a0ebbae11fe18d77aa7f01afb66f749d25ba943eb0a9408d 3208 
apparmor_2.10.95-8.dsc
 8dd6536a58105614039536484899da28514a8e9c81e0d2c56444001b119c2d4a 107100 
apparmor_2.10.95-8.debian.tar.xz
Files: 
 b1160741fa941faf1b5a5ad4cad9944f 3208 admin extra apparmor_2.10.95-8.dsc
 45240de7efd2f8d99a9e9e70f67b2c1e 107100 admin extra 
apparmor_2.10.95-8.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5UP557t8LGTy13pc7G2Dvyn8Ko4FAlhVQ1AACgkQ7G2Dvyn8
Ko5e5BAAjWxSs/qpq8hhaCZ0GXm+7jilNfbj+cLBaOP7E7fOTBO9fXFQFTiVfgQx
TZPWmNXxKGFLHg4Pc0SxQtRd+9NDOA/JFrSkdI6EItqnLBHeDuXN+KTVYGAOd6Py
BDYqq7V7Tp2IH+ajntav2MeY+cy0s33I/avgSmrr9eRjfRCcOBvBj96O7BUDdIW+
DvvqfwRCEaYs3UcuVmpxakLzLfSIQ9ErVOgSWLepKNNCdSqCnUfCXikfq/aRDWSY
2mEI7HweAkEE9dG8IT45pmaOahO5yYV/Mn/eu8WMi0Niw+3Y3/POzSKZWN0sQ4v0
vXGrAantERMP15Kz3Bt+T0voyeT9T5aGncqrg0cWV1HanO5iTvOsFIFojhfqZOsz
iLI6c6yGpfs9vRMRbFzOEOOAhWCeH81pnoZdPfghkUmGZUXR9exksgfEqgM9dQaF
OZGqbkpS/l9bYTg3cDKvWOQX5B8q2AkVl3SLLWUD7WHjHZAtZXc/ka1sLvm07D/W
rR6rg0a1f1yO/pcj9alSfGuqurKRy3oQ1poZrBrvRlhRgftanL5xjJKaofvzOUbc
lBQW01BuJyr3mk6aLLHZecENcJGENV6xP9S5LXQ07ynacjNZdGjsAU7+pu5rjQ8X
bbQquBRJCDr1ijEwhWwFw0kz5W4FCEwV1EBYPVJ7Ld7EHMf7rso=
=ywd7
-----END PGP SIGNATURE-----

--- End Message ---