Your message dated Wed, 06 May 2015 22:00:21 +0000 with message-id <e1yq7mb-0008ep...@franck.debian.org> and subject line Bug#780456: fixed in lightdm 1.14.0-1 has caused the Debian Bug report #780456, regarding Guest session AppArmor profile doesn't work to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 780456: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780456 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: lightdm Version: 1.10.3-3 Severity: normal Tags: security patch Hello, The current AA profile in Jessie doesn't reference the correct exec, and some rules are missing. Attached an updated profile and the correcponding patch. I don't know if this would fit for Jessie, as: - guest-sessions are not enabled by default, - but, they should be secure by default Regards -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lightdm depends on: ii adduser 3.113+nmu3 ii dbus 1.8.12-3 ii debconf [debconf-2.0] 1.5.55 ii libc6 2.19-13 ii libgcrypt20 1.6.2-4+b1 ii libglib2.0-0 2.42.1-1 ii libpam-systemd 215-11 ii libpam0g 1.1.8-3.1 ii libxcb1 1.10-3+b1 ii libxdmcp6 1:1.1.1-1+b1 ii lightdm-gtk-greeter [lightdm-greeter] 1.8.5-2 Versions of packages lightdm recommends: ii xserver-xorg 1:7.7+7 Versions of packages lightdm suggests: ii accountsservice 0.6.37-3+b1 ii upower 0.99.1-3.1 -- debconf information: lightdm/daemon_name: /usr/sbin/lightdm * shared/default-x-display-manager: lightdm# vim:syntax=apparmor # Profile for restricting lightdm guest session # Author: Martin Pitt <martin.p...@ubuntu.com> #include <tunables/global> /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session { #include <abstractions/authentication> #include <abstractions/nameservice> #include <abstractions/wutmp> /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678 / r, /bin/ rmix, /bin/fusermount Px, /bin/** rmix, /cdrom/ rmix, /cdrom/** rmix, /dev/ r, /dev/** rmw, # audio devices etc. owner /dev/shm/** rmw, /etc/ r, /etc/** rmk, /etc/gdm/Xsession ix, /etc/X11/Xsession ix, /lib/ r, /lib/** rmixk, /lib32/ r, /lib32/** rmixk, /lib64/ r, /lib64/** rmixk, owner /media/ r, owner /media/** rmwlixk, # we want access to USB sticks and the like /opt/ r, /opt/** rmixk, @{PROC}/ r, @{PROC}/* rm, @{PROC}/asound rm, @{PROC}/asound/** rm, @{PROC}/ati rm, @{PROC}/ati/** rm, owner @{PROC}/** rm, # needed for gnome-keyring-daemon @{PROC}/*/status r, /sbin/ r, /sbin/** rmixk, /sys/ r, /sys/** rm, /tmp/ rw, owner /tmp/** rwlkmix, /usr/ r, /usr/** rmixk, /var/ r, /var/** rmixk, /var/guest-data/** rw, # allow to store files permanently /var/tmp/ rw, owner /var/tmp/** rwlkm, /{,var/}run/ r, # necessary for writing to sockets, etc. /{,var/}run/** rmkix, /{,var/}run/shm/** wl, /{,var/}run/uuid/request w, # libpam-xdg-support/logind owner /{,var/}run/user/*/** rw, capability ipc_lock, # silence warnings for stuff that we really don't want to grant deny capability dac_override, deny capability dac_read_search, #deny /etc/** w, # re-enable once LP#697678 is fixed deny /usr/** w, deny /var/crash/ w, }--- apparmor/lightdm-guest-session.dpkg-dist 2015-03-10 08:13:32.463146490 +0100 +++ apparmor/lightdm-guest-session 2015-03-10 08:14:26.789023315 +0100 @@ -4,7 +4,7 @@ #include <tunables/global> -/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session-wrapper { +/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session { #include <abstractions/authentication> #include <abstractions/nameservice> #include <abstractions/wutmp> @@ -22,6 +22,7 @@ /etc/ r, /etc/** rmk, /etc/gdm/Xsession ix, + /etc/X11/Xsession ix, /lib/ r, /lib/** rmixk, /lib32/ r, @@ -58,6 +59,9 @@ # necessary for writing to sockets, etc. /{,var/}run/** rmkix, /{,var/}run/shm/** wl, + /{,var/}run/uuid/request w, + # libpam-xdg-support/logind + owner /{,var/}run/user/*/** rw, capability ipc_lock,
--- End Message ---
--- Begin Message ---Source: lightdm Source-Version: 1.14.0-1 We believe that the bug you reported is fixed in the latest version of lightdm, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 780...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yves-Alexis Perez <cor...@debian.org> (supplier of updated lightdm package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 06 May 2015 22:42:17 +0200 Source: lightdm Binary: lightdm lightdm-vala liblightdm-gobject-1-0 liblightdm-qt-3-0 liblightdm-gobject-dev liblightdm-qt-dev gir1.2-lightdm-1 Architecture: source amd64 Version: 1.14.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Xfce Maintainers <pkg-xfce-devel@lists.alioth.debian.org> Changed-By: Yves-Alexis Perez <cor...@debian.org> Description: gir1.2-lightdm-1 - Typelib file for liblightdm-1 liblightdm-gobject-1-0 - simple display manager (gobject library) liblightdm-gobject-dev - simple display manager (gobject development files) liblightdm-qt-3-0 - simple display manager (Qt library) liblightdm-qt-dev - simple display manager (Qt development files) lightdm - simple display manager lightdm-vala - simple display manager (Vala files) Closes: 780456 Changes: lightdm (1.14.0-1) unstable; urgency=medium . * debian/patches: - 02_fix-apparmor-profile updated, following information from Mathieu Parent. closes: #780456 * debian/watch updated to follow 1.14 branch. * New upstream release. * debian/lightdm.install: - install bash completion files. * debian/liblightdm-qt-3-0.symbols updated for new release. * Upload to unstable. Checksums-Sha1: 6cb1a3552e23c0b0dc29c13725e3cdf8b3c97752 2393 lightdm_1.14.0-1.dsc 4517bce7b3a321805e836ea3ecc95d62d0f2d571 477884 lightdm_1.14.0.orig.tar.xz 3a14195cb12e7053cf940a349378a090c64e4996 35112 lightdm_1.14.0-1.debian.tar.xz 759845576d4ada30ae303b711862de89ceaaead8 157602 lightdm_1.14.0-1_amd64.deb d70d7a5ab7ade77edbfdd3230e99bffdab2e663c 22734 lightdm-vala_1.14.0-1_amd64.deb d51e61475ca50f317156c18fb37a8a9f0be0b338 53134 liblightdm-gobject-1-0_1.14.0-1_amd64.deb d6f9a4d6ea3b21f0f9b149de7d6863c7d3f1dfe6 52388 liblightdm-qt-3-0_1.14.0-1_amd64.deb 4ff51e946f199cb4c08318c7cdc4aaf370952f50 80652 liblightdm-gobject-dev_1.14.0-1_amd64.deb 88326d4f08efc18d78574ec7841bcc63de57431a 52322 liblightdm-qt-dev_1.14.0-1_amd64.deb 0649822b97648f583e3328e82b99dbf8d795734d 25130 gir1.2-lightdm-1_1.14.0-1_amd64.deb Checksums-Sha256: a2725ee91393d06a554360efa94c63733e6ae9d04ddeafd863dfe5d495bedceb 2393 lightdm_1.14.0-1.dsc ec35790870de8ed16dd5805c21b1aedcf703a343629497a9878d8cce2cfe6b3a 477884 lightdm_1.14.0.orig.tar.xz 1adf522a645efff043371a2a5db75a716b3e8a28fefd12cee961a46187b75559 35112 lightdm_1.14.0-1.debian.tar.xz 2e090cb5807b65b59cea78604806facb23254b24d03cdfb31c26a9ca9129fd06 157602 lightdm_1.14.0-1_amd64.deb 41f778ddff4a1d95ba95a822736f5c68d5a6cadf3fcc3a12854cbff08416a2bc 22734 lightdm-vala_1.14.0-1_amd64.deb 2255740aba6d6ffdd369c5f0a821ee46e3180f82e429c4c3ed5e3d8c3c428ce2 53134 liblightdm-gobject-1-0_1.14.0-1_amd64.deb a204c8362d9b1f0c47bfc4f22533df47463cb0d1e5fa76864b0cff0004e5bcd2 52388 liblightdm-qt-3-0_1.14.0-1_amd64.deb 894cced46d674a13a7030d10b697302691cd17ef883d62c0d20a339ca7493de3 80652 liblightdm-gobject-dev_1.14.0-1_amd64.deb a262924a888c9315c85d3fd477858bb542bfdd434a5df99d0755dc0f503d5e78 52322 liblightdm-qt-dev_1.14.0-1_amd64.deb 7c70e4c30483f726a673a5602c17faceb1eea807481e04e16af59f4aca2b4ecd 25130 gir1.2-lightdm-1_1.14.0-1_amd64.deb Files: 54ff0d6bcb61c51898b26d1521dc0892 2393 x11 optional lightdm_1.14.0-1.dsc 616aaa793a699b50ff09e3851ce7e7cf 477884 x11 optional lightdm_1.14.0.orig.tar.xz 4f9ee8bf77862fc22af5ba397b63418e 35112 x11 optional lightdm_1.14.0-1.debian.tar.xz af69ae35e96c00f25d5496b2479efb86 157602 x11 optional lightdm_1.14.0-1_amd64.deb 2cfad1fc1fe82fbda8a7a6a82530f68e 22734 x11 optional lightdm-vala_1.14.0-1_amd64.deb e75bb609253b91b37f0aa959faf53856 53134 libdevel optional liblightdm-gobject-1-0_1.14.0-1_amd64.deb de136bd0b4b0037d0fb8143984d48650 52388 libdevel optional liblightdm-qt-3-0_1.14.0-1_amd64.deb 1691d391ba191ad55b27dfe7a35eaa73 80652 libdevel optional liblightdm-gobject-dev_1.14.0-1_amd64.deb 1e092d2507b1f26e5638faae93f580c2 52322 libdevel optional liblightdm-qt-dev_1.14.0-1_amd64.deb f31d07c3a919dc077c6756343c43d8da 25130 libs optional gir1.2-lightdm-1_1.14.0-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJVSn07AAoJEG3bU/KmdcCl9uoIAJbj4eDG/AQVGT9mGv2q7Aev C3bFfZeqxZ+7jARMmEjYevvrIDZBHnJO6UV+KQ0zmyHZGpbMdYeRsL0w6tkjJEUg a6pf99BBr+Xwovg1mdeYWVPhQQzRg17S45fdjRlLP/U74+vULDgINFpdOKXXc+U0 HFuOpWT1ErOdHzM3DOvVRmxCMhkw1MvJI2/ZJMIL7ampQPbo5MhIRSuQNWr5I1CN uFTQcRet/DdWlbaBB5dmL9HYagkOvzchKELV55sZpgTD9qQKpVgx1nFok5V46EYz hxcVuWBTHz9wMYUhmwm+g1K4Tz6luVy+6JjMF+bjZNE2Yf+6Ayb9/MxUBYC+n9I= =byB4 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-xfce-devel mailing list Pkg-xfce-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-xfce-devel
