On Fri, Feb 16, 2018 at 08:48:06AM -0700, Thomas Vaughan wrote: > I see that this bug is closed, but I see something similar in my > system log. I am running Debian unstable updated as of yesterday. It > seems that libreoffice is trying to make use of OpenCL, and I have a > couple of OpenCL ICDs installed.
And I don't believe we should fix anything in one bug. This bug is fixed, all messages it talked about are gone. If you want to have more stuff fixed, please use a new bug. But yes, I am aware not all apparmor issues are gone. There always will be stuff denied. That's why it's still in complain mode. We also shouldn't allow anything. > After opening a PDF file in LibreOffice Draw, I saw the following from > logcheck: To be honest, I consider this feature to be existing a bug per se. > Feb 15 17:41:31 foo-machine kernel: [85508.697711] kauditd_printk_skb: > 8 callbacks suppressed > Feb 15 17:41:31 foo-machine kernel: [85508.697712] audit: type=1400 > audit(1518741691.452:20): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" name="/etc/OpenCL/vendors/pocl.icd" > pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r" > fsuid=1000 ouid=0 > Feb 15 17:41:31 foo-machine kernel: [85509.116067] audit: type=1400 > audit(1518741691.868:21): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" > name="/sys/devices/system/node/node0/meminfo" pid=11676 > comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0 > Feb 15 17:41:32 foo-machine kernel: [85509.881791] audit: type=1400 > audit(1518741692.636:22): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" name="/etc/OpenCL/vendors/mesa.icd" > pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r" > fsuid=1000 ouid=0 > Feb 15 17:41:33 foo-machine kernel: [85510.820260] audit: type=1400 > audit(1518741693.572:23): apparmor="ALLOWED" operation="file_mmap" > profile="libreoffice-soffice" > name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so" > pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m" > fsuid=1000 ouid=0 > Feb 15 17:41:33 foo-machine kernel: [85510.877083] audit: type=1400 > audit(1518741693.628:24): apparmor="ALLOWED" operation="file_mmap" > profile="libreoffice-soffice" > name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so" > pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m" > fsuid=1000 ouid=0 > Feb 15 17:41:33 foo-machine kernel: [85510.883425] audit: type=1400 > audit(1518741693.636:25): apparmor="ALLOWED" operation="file_mmap" > profile="libreoffice-soffice" > name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_swrast.so" pid=11676 > comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000 > ouid=0 > Feb 15 17:41:33 foo-machine kernel: [85510.975466] audit: type=1400 > audit(1518741693.728:26): apparmor="ALLOWED" operation="mknod" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676 > comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 > ouid=1000 > Feb 15 17:41:33 foo-machine kernel: [85510.975479] audit: type=1400 > audit(1518741693.728:27): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676 > comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 > ouid=1000 > Feb 15 17:41:33 foo-machine kernel: [85510.975481] audit: type=1400 > audit(1518741693.728:28): apparmor="ALLOWED" operation="truncate" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676 > comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 > ouid=1000 > Feb 15 17:41:33 foo-machine kernel: [85511.100060] audit: type=1400 > audit(1518741693.852:29): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" > name="/etc/OpenCL/vendors/intel-beignet-x86_64-linux-gnu.icd" > pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r" > fsuid=1000 ouid=0 > Feb 15 17:41:36 foo-machine kernel: [85513.938456] kauditd_printk_skb: > 321 callbacks suppressed > Feb 15 17:41:36 foo-machine kernel: [85513.938457] audit: type=1400 > audit(1518741696.692:351): apparmor="ALLOWED" operation="mknod" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676 > comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 > ouid=1000 > Feb 15 17:41:36 foo-machine kernel: [85513.938476] audit: type=1400 > audit(1518741696.692:352): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676 > comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 > ouid=1000 > Feb 15 17:41:36 foo-machine kernel: [85513.938502] audit: type=1400 > audit(1518741696.692:353): apparmor="ALLOWED" operation="unlink" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676 > comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000 > ouid=1000 > Feb 15 17:41:36 foo-machine kernel: [85513.938522] audit: type=1400 > audit(1518741696.692:354): apparmor="ALLOWED" operation="mknod" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp" > pid=11676 comm="soffice.bin" requested_mask="c" denied_mask="c" > fsuid=1000 ouid=1000 > Feb 15 17:41:36 foo-machine kernel: [85513.938531] audit: type=1400 > audit(1518741696.692:355): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp" > pid=11676 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" > fsuid=1000 ouid=1000 > Feb 15 17:41:36 foo-machine kernel: [85513.938556] audit: type=1400 > audit(1518741696.692:356): apparmor="ALLOWED" operation="rename_src" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp" > pid=11676 comm="soffice.bin" requested_mask="wrd" denied_mask="wrd" > fsuid=1000 ouid=1000 > Feb 15 17:41:36 foo-machine kernel: [85513.938558] audit: type=1400 > audit(1518741696.692:357): apparmor="ALLOWED" operation="rename_dest" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676 > comm="soffice.bin" requested_mask="wc" denied_mask="wc" fsuid=1000 > ouid=1000 > Feb 15 17:41:36 foo-machine kernel: [85513.938573] audit: type=1400 > audit(1518741696.692:358): apparmor="ALLOWED" operation="mknod" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676 > comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 > ouid=1000 > Feb 15 17:41:36 foo-machine kernel: [85513.938583] audit: type=1400 > audit(1518741696.692:359): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676 > comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 > ouid=1000 > Feb 15 17:41:36 foo-machine kernel: [85513.990375] audit: type=1400 > audit(1518741696.744:360): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" > name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676 > comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=1000 So OpenCL until here, unless I oversaw something else above... > Feb 15 17:42:25 foo-machine kernel: [85562.858570] kauditd_printk_skb: > 80 callbacks suppressed > Feb 15 17:42:25 foo-machine kernel: [85562.858571] audit: type=1400 > audit(1518741745.613:441): apparmor="DENIED" operation="file_inherit" > profile="libreoffice-xpdfimport" > name="/home/tevaugha/Documents/Downloads/ICUSB2324852.pdf" pid=11960 > comm="xpdfimport" requested_mask="wr" denied_mask="wr" fsuid=1000 > ouid=1000 w? The document opened, though or did that fail? > Feb 15 17:42:26 foo-machine kernel: [85563.650059] audit: type=1400 > audit(1518741746.405:442): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db" > pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" > fsuid=1000 ouid=1000 > Feb 15 17:42:26 foo-machine kernel: [85563.650122] audit: type=1400 > audit(1518741746.405:443): apparmor="ALLOWED" operation="file_lock" > profile="libreoffice-soffice" > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db" > pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k" > fsuid=1000 ouid=1000 > Feb 15 17:42:26 foo-machine kernel: [85563.650551] audit: type=1400 > audit(1518741746.405:444): apparmor="ALLOWED" operation="open" > profile="libreoffice-soffice" > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db" > pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" > fsuid=1000 ouid=1000 > Feb 15 17:42:26 foo-machine kernel: [85563.650599] audit: type=1400 > audit(1518741746.405:445): apparmor="ALLOWED" operation="file_lock" > profile="libreoffice-soffice" > name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db" > pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k" > fsuid=1000 ouid=1000 Hrmpf. more mozilla stuff. Regards, Rene