Package: apparmor-profiles Version: 2.7.103-4 Severity: normal Tags: upstream
Dear Maintainer, In Wheezy I've enabled complain mode for usr.sbin.ssh (from apparmor-profiles extras directory) and noticed these lines: Apr 20 08:52:43 vdebian2 kernel: [30870.004961] audit: type=1400 audit(1461131563.110:76): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.RSA-2048" pid=27843 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Apr 20 08:52:43 vdebian2 kernel: [30870.005132] audit: type=1400 audit(1461131563.110:77): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd" name="/usr/share/ssh/blacklist.DSA-1024" pid=27843 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Looks like it would be usefull to add rule to allow reading /usr/share/ssh/blacklist* files: $ apt-file search ssh/blacklist openssh-blacklist: /usr/share/ssh/blacklist.DSA-1024 openssh-blacklist: /usr/share/ssh/blacklist.RSA-2048 openssh-blacklist-extra: /usr/share/ssh/blacklist.DSA-2048 openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-1024 openssh-blacklist-extra: /usr/share/ssh/blacklist.RSA-4096 I do not see this rule HEAD: https://alioth.debian.org/scm/loggerhead/collab- maint/apparmor/view/head:/profiles/apparmor/profiles/extras/usr.sbin.sshd so I assume it's still relevant for latest releases. -- System Information: Debian Release: 7.10 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apparmor-profiles depends on: ii apparmor 2.7.103-4 apparmor-profiles recommends no packages. apparmor-profiles suggests no packages. -- no debconf information
