Bug#888584: AppArmor: denied execution of eimp, memsup and more

Additional, after original denies are fixed up, running "ejabberctl help" for example, net_admin cap is requested: ``` type=AVC msg=audit(1517059122.720:293): apparmor="DENIED" operation="capable" profile="/usr/sbin/ejabberdctl//su" pid=4820 comm="su" capability=12 capname="net_admin"

Bug#888584: AppArmor: denied execution of eimp, memsup and more

Package: ejabberd Version: 18.01-1 Severity: normal User: pkg-apparmor-t...@lists.alioth.debian.org Usertags: buggy-profile Dear Maintainer, After some update a flow of DENIED messages appears when ejabberd is starting, with AppArmor profile enforced: ``` type=AVC

Bug#882195: certbot: Install plug-ins, update to 0.20

Is there a possibility to have 0.21 [0] release and backported to Jessie? It uses HTTP-01 for apache and nginx plugins by default to workaround TLS-SNI-01 issue [1]. [0] https://community.letsencrypt.org/t/certbot-0-21-0-release/50725 [1]

Bug#884217: thunderbird: Latest VCS-Git AppArmor profile (will) break aa-enfroce usage on Jessie

On 1/28/18 5:56 PM, Carsten Schoenert wrote: If I did something wrong in preparing it, please feel free to close MR and add patch yourself, I don't want to miss this weekends deadline by learning how to prepare patches properly. no problem, I've taken your commit (as you are the author of the

Bug#884217: thunderbird: Latest VCS-Git AppArmor profile (will) break aa-enfroce usage on Jessie

On 1/28/18 6:56 PM, Carsten Schoenert wrote: Would we place the apparmor profile for Thunderbird in the top directory then we have no other possibility than to add this by a patch. ... And to not complicate things even more it's common case to place things that are not upstream but needed or

Bug#882045: apparmor should let thunderbird open images with viewnior

I believe this issue can be marked as done.

Bug#886964: thunderbird: Thunderbird blocked by AppArmor without intervention.

On Thu, 11 Jan 2018 10:11:07 +0100 Urs Schroffenegger wrote: Jan 11 09:06:18 flare kernel: [60207.044643] audit: type=1400 audit(1515657978.983:138): apparmor="DENIED" operation="file_mmap" profile="thunderbird" name="/tmp/.glXWcTtR" pid=534 comm="thunderbird"

Bug#887593: More apparmor="ALLOWED" messages in syslog.

On 2/16/18 8:08 PM, Rene Engelhard wrote: On Fri, Feb 16, 2018 at 08:48:06AM -0700, Thomas Vaughan wrote: Feb 15 17:41:31 foo-machine kernel: [85508.697711] kauditd_printk_skb: 8 callbacks suppressed Feb 15 17:41:31 foo-machine kernel: [85508.697712] audit: type=1400 audit(1518741691.452:20):

Bug#891303: salt-master: salt fails with "Failed to authenticate" error

Package: salt-master Version: 2017.7.3+dfsg1-1 Severity: important Dear Maintainer, After recent upgrade in Sid I've noticed that `salt` cannot execute commands due to permissions issues: ``` root@debian-sid:/media/cdrom# salt "*" test.ping Failed to authenticate! This is most likely because

Bug#884874: phonon-backend-vlc: Application using phonon are crashing with vlc 3.0.0~rc2

VLC 3.0.0 entered Testing, and Dragon and Amarok started to crash. Could it have been possible to kinda stop VLC upload because some depended packages breaks? That would be nice in this case.

Bug#884217: thunderbird: Latest VCS-Git AppArmor profile (will) break aa-enfroce usage on Jessie

Uhm, why this bug was marked as Done? I have just upgraded some Jessie machine and got error (as expected) during upgrade: ``` AppArmor parser error for /etc/apparmor.d/usr.bin.thunderbird in /etc/apparmor.d/usr.bin.thunderbird at line 12: syntax error, unexpected TOK_SET_VAR, expecting

Bug#905437: libreoffice-common: AppArmor denies access to mesa shader cache

Package: libreoffice-common Version: 1:6.1.0~rc2-3 Severity: normal Tags: upstream User: pkg-apparmor-t...@lists.alioth.debian.org Usertags: modify-profile Dear Maintainer, I got this deny: ``` type=AVC msg=audit(1533391970.983:584): apparmor="DENIED" operation="open"

Bug#905437: libreoffice-common: AppArmor denies access to mesa shader cache

On 8/4/18 6:22 PM, intrigeri wrote: or else maybe we could backport `mesa` abstraction into AppArmor 2.13? Why not. Create a MR or file a bug against src:apparmor? Cool, I will work on MR. "Why not" could be "don't want to manage backports too much" :) .

Bug#905442: AppArmor: cannot save files in enforced mode

Package: libreoffice-common Version: 1:6.1.0~rc2-3 Severity: normal Tags: upstream Dear Maintainer, I cannot save files when AppArmor profile is in enforce mode: ``` type=AVC msg=audit(1533396515.983:974): apparmor="DENIED" operation="mknod" profile="libreoffice-soffice"

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

On 8/4/18 6:39 PM, intrigeri wrote: Vincas Dargis: Also, some temporary files like "usr.lib.libreoffice.program.soffice.binc3d3lu5x~" are left when aa-enforce fails: Could you please report a bug upstream (https://bugs.launchpad.net/apparmor/+filebug) or worst case a ded

Bug#887593: More apparmor="ALLOWED" messages in syslog.

intrigeri, could we get opencl abstractions in 2.13, or we are expecting to get AppArmor 3 in Buster? BTW I have proposed update to use `dri-enumerate` abstraction and remove backported rule: https://gerrit.libreoffice.org/#/c/58589/

Bug#905437: libreoffice-common: AppArmor denies access to mesa shader cache

intrigeri, are we getting AppArmor 3 in Buster, or else maybe we could backport `mesa` abstraction into AppArmor 2.13?

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

Also, some junk files (like `usr.lib.libreoffice.program.soffice.binzrz7ukcd~`) are left over: ``` $ ls usr.lib.libreoffice.program.soffice.bin* usr.lib.libreoffice.program.soffice.bin $ sudo aa-enforce usr.lib.libreoffice.program.soffice.bin Setting

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

Also, some temporary files like "usr.lib.libreoffice.program.soffice.binc3d3lu5x~" are left when aa-enforce fails: ``` $ sudo aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin Setting /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to enforce mode. ERROR: Path doesn't

Bug#887593: More apparmor="ALLOWED" messages in syslog.

On Sat, 04 Aug 2018 23:21:19 +0800 intrigeri wrote: > BTW I have proposed update to use `dri-enumerate` abstraction and remove backported rule: > https://gerrit.libreoffice.org/#/c/58589/ If I'm supposed to act on this, please clarify what I should do, otherwise ignore this sentence. Sorry

Bug#901701: bumblebee: using optirun introduces segfault in i965_dri.so

Sadly, `PRIMUS_UPLOAD=1 primusrun glxgears` does not work any more, also segfaults: Thread 2 "glxgears" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f3a8041c700 (LWP 12698)] 0x7f3a8152b2ef in do_blit_drawpixels (pixels=0x0, unpack=0x7f3a78150598, type=5121,

Bug#887593: More apparmor="ALLOWED" messages in syslog.

On 8/6/18 11:54 PM, Rene Engelhard wrote: On Sat, Aug 04, 2018 at 05:50:35PM +0300, Vincas Dargis wrote: BTW I have proposed update to use `dri-enumerate` abstraction and remove backported rule: https://gerrit.libreoffice.org/#/c/58589/ As I said upstream I am not sure about this upstream

Bug#903898: Acknowledgement (thunderbird: missing AppArmor entries)

On Mon, 16 Jul 2018 16:03:01 +0100 Nuno Oliveira wrote: Hi Vincas, Carsten, While you are at it, you might as well consider this extra line which appeared latter: /var/lib/xine/gxine.desktop r, Nuno, could you give me a hint on how to reproduce this? I can't even find package that would

Bug#901701: bumblebee: using optirun introduces segfault in i965_dri.so

Control: fixed -1 18.1.6-1 It started working with 18.1.6-1 update!

Bug#905442: AppArmor: cannot save files in enforced mode

n 8/7/18 1:55 PM, Rene Engelhard wrote: Sorry, apparently didn't read fully the first time I read this mail. Really $HOME? I would be surprised. I know there's lu??.tmps in /tmp (or $TMPDIR) but $HOME? Did you set TMPDIR=$HOME? No, TMPDIR is not set. LO additionally tries to save

Bug#902966: pstore: crypto_comp_decompress failed

Why is this bug marked as Done? Issue still persists with 4.17.0-2-amd64 on ASUS N551JM laptop. If users (upgrading from Strech) are expected to execute these workarounds, maybe there should be NEWS entry of some sort?

Bug#906769: arm kernels fail to boot

On Mon, 20 Aug 2018 15:16:52 -0700 Vagrant Cascadian wrote: One "armmp-lpae" system appears to have successfully booted, but gets many kernel messages along these lines: [ 78.638348] INFO: rcu_sched detected stalls on CPUs/tasks: [ 78.642433] 0-...: (0 ticks this GP) idle=29c/0/0

Bug#906769: arm kernels fail to boot

On 8/22/18 7:35 AM, Salvatore Bonaccorso wrote: armhf packages: https://people.debian.org/~carnil/tmp/linux/armhf/ armmp-lpae works fine on Odroid-HC1 SBC (Samsung Exynos5422 ARM® Cortex™-A15 Quad 2.0GHz/Cortex™-A7 Quad 1.4GHz)

Bug#907303: apparmor: libreoffice stops start with last update

On Sun, 26 Aug 2018 10:58:50 +0200 Kamil Jonca wrote: After last upgrade of apparmor, soffice command end with error, and in log we can see: audit: type=1400 audit(1535272402.067:422): apparmor="ALLOWED" operation="exec" info="profile transition not found"

Bug#898092: sddm: takes extremely long time to start

Upstream bug report has been marked as "Out of scope". So what now, libqt5core5 package must depend on haveged? :) (or Qt recompiled without getentropy() ?)

Bug#903783: minissdpd: Lots of "Address already in use" syslog messages

Package: minissdpd Version: 1.5.20180223-2 Severity: normal Dear Maintainer, I've discovered that syslog contains lots of "Address already in use" messages: ``` -- Logs begin at Sat 2018-07-14 19:49:37 EEST, end at Sat 2018-07-14 21:08:02 EEST. -- liep. 14 19:49:42 vinco systemd[1]: Starting

Bug#903967: cpqarrayd: Does not detect DL380 Smart Array G6 controller

Package: cpqarrayd Version: 2.3.5+b1 Severity: normal Dear Maintainer, I've installed Debian Stretch on a bit old DL380 G6 server, and tried to use cpqarrayd to monitor RAID status, but logs shows that controller is not found: ``` Jul 17 16:28:13 dl380 systemd[1]: Starting LSB: Start/Stop

Bug#903898: Acknowledgement (thunderbird: missing AppArmor entries)

Control: user pkg-apparmor-t...@lists.alioth.debian.org Control: usertag -1 +modify-profile On Mon, 16 Jul 2018 16:58:24 +0200 Carsten Schoenert wrote: Hello Vincas, may I point you to this report? Sure! On Mon, Jul 16, 2018 at 12:45:49PM +0100, Nuno Oliveira wrote: > Actually, better

Bug#903834: clamav-freshclam: AppArmor denies access to /procp//status

Package: clamav-freshclam Version: 0.100.0+dfsg-0+deb9u2 Severity: minor Control: user pkg-apparmor-t...@lists.alioth.debian.org Control: usertag -1 platform Dear Maintainer, I've discovered DENIED message that appears (apparently) only first time after clamav is installed: ``` type=AVC

Bug#903834: clamav-freshclam: AppArmor denies access to /procp//status

This doesn't seem to reproduce on Sid though.

Bug#712451: Please support AppArmor network rules

On Sun, 17 Jun 2018 16:36:39 +0200 intrigeri wrote: Vincas Dargis: > linux-compiler-gcc-7-x86 needs gcc-7 that is not available? For Tails we work this around with equivs: https://git-tails.immerda.ch/tails/tree/config/chroot_local-hooks/12-kernel-modules-build-environment I've mana

Bug#712451: Please support AppArmor network rules

On 7/22/18 3:48 PM, intrigeri wrote: Hi Vincas, Vincas Dargis: I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I did not see any immediate problems with some lightweight testing. Great. Both on Stretch, right? Yes. Did you disable feature-set pinning entirely

Bug#903898: Acknowledgement (thunderbird: missing AppArmor entries)

On 7/22/18 3:19 PM, intrigeri wrote: Vincas Dargis: Now that "/sys/devices/system/memory/block_size_bytes r," needs simple backport, as is is already available in more recent AppArmor [0]. Unless this denial triggers important user-visible issues, I say let's ignore it f

Bug#712451: Please support AppArmor network rules

On Tue, 24 Jul 2018 18:38:49 +0800 intrigeri wrote: John answered my question on IRC: - "you can't yet. You will need an apparmor 3.0 beta which keeps getting delayed" Aawww.. Anyway, good to know :) .

Bug#898021: linux-image-4.16.0-1-amd64: kernel 4.16 infinite wait after dm login on ivy bridge and bay trail

On Mon, 7 May 2018 06:40:36 +0200 "Sten Heinze" wrote:> I definitely experience a much shorter delay if I press keys on the keyboard vs. doing nothing; the delay decreases from >5 minutes to 10-20 seconds before sddm appears. Yes! I have same problem, thought not with 4.16, but with 4.17. If

Bug#665423: /usr/bin/7z: unziping isos does not preserve hard links

I have discovered same issue with symlinks in ISO's on Debian Stretch. firmware-9.5.0-amd64-netinst.iso iso image is extracted without firmware package symlinks (/firmware directory is empty). Had to migrate to bsdtar..

Bug#874727: closed by Anton Gladky (Bug#874727: fixed in coin3 3.1.4~abc9f50+dfsg2-1)

Are there any workarounds for this issue? Seems same problem as discovered on Kbuntu 18.04 that FreeCAD crashes when importing from SVG file.

Bug#908206: thunderbird: Can not open links due to AppArmour profile

On 9/7/18 5:55 PM, Carsten Schoenert wrote: Hello Vincas, hello Simon, seems this is the first report against TB 60 related to AppArmor. ;) Can have please a look on this? (Including the needed BTS tagging) Yep just noticed this too, probably the core issue is denying to launch:

Bug#875959: vidia-graphics-drivers: port nvidia-prime from Ubuntu

On Sat, 16 Sep 2017 19:45:27 +0100 Luca Boccassi wrote: Hopefully one day, before I retire, Nvidia will provide a supported dynamic offload functionality... There is at least talk of a server side glvnd-like implementation, so there's hope. Yes, it would be very nice to have Nvidia working

Bug#879030: 375.82-5: glxgears segmentation fault in glXCreateContext

On Mon, 9 Jul 2018 05:32:06 +0200 Andreas Beckmann wrote: Is this still an issue with the latest driver (390.67) available in sid, buster, and (soon) stretch-backports? I believe this bug has been fixed. This is quite old bug, I simply forgot that it even existed. Sorry for that. THOUGH,

Bug#901701: bumblebee: using optirun introduces segfault in i965_dri.so

Looks like there is much simpler workaround: PRIMUS_UPLOAD=1 primusrun glxgears Works for wine too. Thanks to Reddit user huttukuttu! [0] [0] https://www.reddit.com/r/debian/comments/8wu8t8/bumblebee_causes_segfault_in_i965_driso/e1ywduu

Bug#888028: nvidia-driver: applications running with discrete NVIDIA graphics tries to create /home/user.nv/ directory

On 1/22/18 10:31 PM, Andreas Beckmann wrote: On 2018-01-22 20:39, Vincas Dargis wrote: It looks like some shared code actually wanted to create $HOME + / + .nv directory, though accidentally skipped a slash. Some nvidia driver components use ~/.nv/ as temporary storage, sounds like something

Bug#888028: nvidia-driver: applications running with discrete NVIDIA graphics tries to create /home/user.nv/ directory

Package: nvidia-driver Severity: normal Dear Maintainer, Some appliactions that has AppArmor profile defined produces DENIED log entries for strange `/home/vincas.nv/` paths: ``` type=AVC msg=audit(1516647002.968:744): apparmor="DENIED" operation="mkdir" profile="thunderbird"

Bug#888028: nvidia-driver: applications running with discrete NVIDIA graphics tries to create /home/user.nv/ directory

Sorry, I've pasted wrong log entry in my last message. Here's the right one: ``` type=AVC msg=audit(1516649672.198:1036): apparmor="DENIED" operation="mkdir" profile="wine-preloader" name="/home/vincas.nv/" pid=31808 comm="gldriverquery64" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Bug#887593: libreoffice-common: apparmor profiles triggers lot of ALLOWED entries

On 2018-01-21 20:33, Rene Engelhard wrote: Want to do a MR or should I just backport the patch myself? I would like to try to backport it within upcoming week.

Bug#887973: thunderbird: Black screen - Failed to lock new back buffer

On 2018-01-22 15:00, Carsten Schoenert wrote: dmesg output: Jan 22 11:56:14 webdev kernel: [13770.507112] audit: type=1400 audit(1516618574.570:3738): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/ld.so.conf" pid=20508 comm="thunderbird" requested_mask="r" denied_mask="r"

Bug#892646: nvidia-nonglvnd-vulkan-common: Vulkan does not work due to incorrect nvidia_icd.json

Package: nvidia-nonglvnd-vulkan-common Version: 390.25-2 Severity: normal Dear Maintainer, Running `optirun vulkaninfo` on switching GM107M [GeForce GTX 860M] outputs this: ``` ERROR: [loader] Code 0 : loader_scanned_icd_add: Attempt to retrieve either 'vkGetInstanceProcAddr' or

Bug#876521: FTBFS with CGAL 4.11

There is new PR, does this fix the issue? https://github.com/Oslandia/SFCGAL/pull/157

Bug#895563: thunderbird: AppArmor denies device enumeration

Package: thunderbird Version: 1:60.0~b2-1 Severity: normal Tags: upstream User: pkg-apparmor-t...@lists.alioth.debian.org Dear Maintainer, AppArmor profile denies access to paths like `/sys/devices/pci:00/:00:02.0/{vendor,device,uevent,...}`: ``` type=AVC msg=audit(1523552674.105:410):

Bug#894907: [thunderbird] apparmor denies access to ~/.gnupg/tofu.db

On Thu, 5 Apr 2018 09:47:52 -0300 Agustin Henze wrote: @@ -248,6 +248,7 @@ owner @{HOME}/.gnupg/trustdb.gpg rw, owner @{HOME}/.gnupg/S.gpg-agent rw, owner @{HOME}/.gnupg/S.dirmngr rw, +owner @{HOME}/.gnupg/tofu.db rwl, owner

Bug#712451: [pkg-apparmor] Bug#712451: Please support AppArmor network rules

Woohoo! What's next left, DBus? On 4/20/18 11:45 AM, intrigeri wrote: Linux v4.17-rc1 now supports basic socket mediation, which will allow us to close this bug report: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56974a6fcfef69ee0825bd66ed13e92070ac5224 :)

Bug#894245: src:salt: cannot install master nor minion due to tornado & zmq breakage

Package: src:salt Version: 2017.7.4+dfsg1-1 Severity: important Dear Maintainer, It seems that due to #893360 salt-master and salt-minion cannot be installed. salt-master depends on python3-zmq, meanwhile salt-common depends on python3-tornado. Since tornado breaks zmq (as in bug mentioned

Bug#893695: apparmor: Apparmor break firefox with psd

rollopack, we have bug about having "proper" Firefox profile: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858174 Ubuntu Firefox _package_ project has profile that is updated time to time, you can try that:

Bug#882218: thunderbird: Apparmor doesn't allow personal profiles outside of ~/.{thunderbird,icedove}

Control: tags -1 -pending On 3/29/18 8:20 PM, intrigeri wrote: Hi, Vincas Dargis: I do not see the need for migration of any kind. @{thunderbird_user_dirs} will be set to @{HOME}, so _by default profile will work the same as before_. OP of this bug report will be able to extend

Bug#858919: Crash reporter doesn't get symbols, even with -dbg installed

On 3/26/18 7:16 PM, Carsten Schoenert wrote: I haven't much time for this right now, so I've disabled the crashreporter for now because it's not that useful without the symbols uploaded to Mozilla. OK, thanks for explanation!

Bug#858919: Crash reporter doesn't get symbols, even with -dbg installed

I have installed thunderbird 58.0~b3-1 from experimental and thunderbird-dbgsym from experimental-debug, and I am pretty sure that debug symbols are there. This is gdb backtrace when I send `killall -SIGSEGV thunderbird`: ``` Thread 1 "thunderbird" received signal SIGSEGV, Segmentation fault.

Bug#892646: nvidia-nonglvnd-vulkan-common: Vulkan does not work due to incorrect nvidia_icd.json

On 3/17/18 7:28 PM, Luca Boccassi wrote:> Optirun never supported Vulkan. That's a know missing feature, and I don't think it will be implemented any time soon. Oh, that's unfortunate. So laptop users has to move away from switchable graphics and have NVIDIA running all the time in order to

Bug#892646: nvidia-nonglvnd-vulkan-common: Vulkan does not work due to incorrect nvidia_icd.json

After latest update, I no longer see errors with `vulkaninfo` and `vulkan-smoketest`, though for some reason it seems that it's running Mesa graphics with `optirun vulkaninfo-smoketest`, not NVIDIA: ``` $ optirun vulkan-smoketest INTEL-MESA: warning: Haswell Vulkan support is incomplete

Bug#887593: More apparmor="ALLOWED" messages in syslog.

On Fri, 16 Feb 2018 08:48:06 -0700 Thomas Vaughan wrote: I see that this bug is closed, but I see something similar in my system log. I am running Debian unstable updated as of yesterday. It seems that libreoffice is trying to make use of OpenCL, and I have a couple of

Bug#887593: More apparmor="ALLOWED" messages in syslog.

On 3/4/18 1:52 PM, Rene Engelhard wrote: On Sat, Mar 03, 2018 at 03:10:45PM +0200, Vincas Dargis wrote: I'm on switching laptop (Intel + NVIDIA). Maybe I have to enable OpenCL for Libreoffice somehow? Tools->Options-OpenCL. Though that setting doesn't persist here, probably because LO noti

Bug#887593: More apparmor="ALLOWED" messages in syslog.

On 3/4/18 1:52 PM, Rene Engelhard wrote: Tools->Options-OpenCL. Though that setting doesn't persist here, probably because LO notices I don't have a working OpenCL config.. After some testing, it seems that OpenCL option persist for me only if I launch LO through `optirun` command, that

Bug#901023: vlc: Hadware decoding does not work with 3.0.2

On Mon, 11 Jun 2018 20:20:18 +0300 =?ISO-8859-1?Q?R=E9mi?= Denis-Courmont wrote: You either have to use libav, or a more recent FFmpeg, or manually turn off threaded decoding in VLC preferences. Whatn FFmpeg version I should build VLC with for threading to work, can I simply grab the latest

Bug#894245: [Pkg-salt-team] Bug#894245: Salt, Tornado Incompatibility, and ZMQ Timeline

On Thu, 28 Jun 2018 09:42:41 +0200 Benjamin Drung wrote: Am Samstag, den 16.06.2018, 22:02 +0300 schrieb Vincas Dargis: > 2017.7.6 is released now [0], could this fix the issue? > > [0] https://docs.saltstack.com/en/latest/topics/releases/2017.7.6.html Sadly no, since we use

Bug#901023: vlc: Hadware decoding does not work with 3.0.2

On 6/29/18 2:51 PM, Rémi Denis-Courmont wrote: Le jeudi 28 juin 2018, 18:52:46 EEST Vincas Dargis a écrit : On Mon, 11 Jun 2018 20:20:18 +0300 =?ISO-8859-1?Q?R=E9mi?= Denis-Courmont wrote: You either have to use libav, or a more recent FFmpeg, or manually turn off threaded decoding in VLC

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

I believe I would just revert that change which introduced variable in profile name. It was just a way to reduce small duplication, it's not critical at all. Change was made in the spirit of "RFC: using variables to make profiles more flexible" tread [0], but looks like we just need to wait a

Bug#911656: munin-plugins-core: postgres_x_ALL plugins produce 'FATAL: database "munin" does not exist' errors

Package: munin-plugins-core Version: 2.0.37-1~bpo9+1 Severity: normal Dear Maintainer, I have upgraded munin from sretch-backports, to overcome incompatibilites with PostgreSQL 10: ``` # apt-cache policy munin-node munin-plugins-core | fgrep Installed Installed: 2.0.37-1~bpo9+1 Installed:

Bug#858174: Please provide an AppArmor profile for Firefox

On 2018-10-30 20:59, intrigeri wrote: Vincas Dargis: intrigeri, what is rationale for upping it to "normal"? What do you mean? Today I merely tagged this bug "upstream". Oh, sorry, right, it was changed from wishlist to normal in "Sun, 29 Oct 2017 11:21:06 GM

Bug#858174: Please provide an AppArmor profile for Firefox

intrigeri, what is rationale for upping it to "normal"? Maybe you would like/expect to have it in Buster? Maybe some one plans to upstream Ubuntu profile, etc. :) I would really like to have it, but looking at Thunderbird experience, we kinda lack abstractions for launching almost arbitrary

Bug#908989: thunderbird: AppArmor denies access to /etc/ld.so.conf

This deny does reproduce on Stretch too, but not on Jessie. I guess I could just provide backport for Salsa repository for Stretch, as it is irrelevant for Buster or any new release, as it's fixed in newer AppArmor itself.

Bug#911656: munin-plugins-core: postgres_x_ALL plugins produce 'FATAL: database "munin" does not exist' errors

On Wed, 24 Oct 2018 01:14:54 +0200 Lars Kruse wrote: Could you please check whether reverting the changes introduced with https://github.com/munin-monitoring/munin/commit/d7e138176e9a09b883031544e523e33e5ef9238b would fix this issue for you? Yes, commenting out "paramdatabase" line in _locks

Bug#908989: thunderbird: AppArmor denies access to /etc/ld.so.conf

Control: tags -1 +patch Control: forwarded -1 https://gitlab.com/apparmor/apparmor/merge_requests/62 On Wed, 19 Sep 2018 19:10:48 +0200 intrigeri wrote: > It appears that Thunderbird now needs access to /etc/ld.so.conf on > Stretch, while AppArmor profile does not allow that: What's the

Bug#908989: thunderbird: AppArmor denies access to /etc/ld.so.conf

On Mon, 29 Oct 2018 20:32:21 +0200 Vincas Dargis wrote: Looks like I've already fixed it some time ago: Although, that's only for latest AppArmor, meanwhile it will not help for Debian Stable releases. On the over hand, maybe deny is introduced by some newer library, which is only available

Bug#909750: applications tries to write to /usr/* directories via libfontconfig1

On Fri, 9 Nov 2018 14:25:12 +0100 Jakub Wilk wrote> It's still reproducible for me: $ strace -o '| grep -w EACCES' /usr/lib/firefox-esr/firefox-bin ... openat(AT_FDCWD, "/usr/share/fonts/truetype/mononoki/.uuid.TMP-lrzetE", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES

Bug#913784: munin-node: 'Duplicate line for path "/run/munin", ignoring' warning after upgrade to 2.0.42-5

This is the content of file: ``` # cat /usr/lib/tmpfiles.d/munin-node.conf # keep in sync with debian/munin.munin-(node|async).init (non-systemd) d /run/munin 0755 munin munin d /var/log/munin 0755 munin adm ```

Bug#913784: munin-node: 'Duplicate line for path "/run/munin", ignoring' warning after upgrade to 2.0.42-5

Package: munin-node Version: 2.0.42-5~bpo9+1 Severity: minor Dear Maintainer, After upgrading to 2.0.42-5 from backports, logcheck on multiple Stretch machines started to capture this new message: ``` Nov 14 22:25:04 dl380 systemd-tmpfiles[13769]: [/usr/lib/tmpfiles.d/munin-node.conf:2]

Bug#909750: applications tries to write to /usr/* directories via libfontconfig1

Control: fixed -1 2.13.1-2 I cannot reproduce this any more, thanks!

Bug#903834: [Pkg-clamav-devel] Bug#903834: clamav-freshclam: AppArmor denies access to /procp//status

Ping?

Bug#905437: libreoffice-common: AppArmor denies access to mesa shader cache

We have now mesa abstraction in Buster that fixes this bug... but so what? I guess I'll have to add yet another [0] backport to upstream profile because it exists not only for Buster... I am thinking to propose LibreOffice upstream to split profile into apparmor-x.yz directories to match

Bug#908989: thunderbird: AppArmor denies access to /etc/ld.so.conf

https://salsa.debian.org/mozilla-team/thunderbird/merge_requests/2

Bug#882047: [pkg-apparmor] Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

I am removing variable usage in Thunderbird profile name: https://gitlab.com/apparmor/apparmor-profiles/merge_requests/31

Bug#874727: closed by Anton Gladky (Bug#874727: fixed in coin3 3.1.4~abc9f50+dfsg2-1)

Freecad crashes while importing any .svg: 1. Open Inkscape 2. Save to "drwing.svg" or whatever (yes, empty file) 3. Launch Freecad 4. File -> New 5. File -> Import -> select drawing.svg -> check "SVG as geometry" -> Select -> Crash happens: ``` Thread 1 "freecad" received signal SIGSEGV,

Bug#909750: firefox tries to write to /usr/* directories

Running `sudo fc-cache -f` didn't helped.

Bug#908989: thunderbird: AppArmor denies access to /etc/ld.so.conf

On 9/19/18 8:10 PM, intrigeri wrote: It appears that Thunderbird now needs access to /etc/ld.so.conf on Stretch, while AppArmor profile does not allow that: What's the practical effect of this denial, if any? I haven't noticed any negative effects so far.

Bug#908206: thunderbird: Can not open links due to AppArmour profile

I believe the "perfect" solution would be to implement a child profile, that would allow only to launch browsers, as as far as I can see, only links (not attachments) are opened with this new gio helper. Consider: ``` ... /usr/lib/@{multiarch}/glib-[0-9].[0-9]/gio-launch-desktop Cx ->

Bug#909281: Apparmor: allow access to ~/.mailcap

On Thu, 20 Sep 2018 16:53:44 -0400 Anthony DeRobertis wrote> would make sense to allow a mail program to read ~/.mailcap (and execute the programs found there, no idea how that's done in apparmor) Allowing to read that file will be trivial, but AppArmor will not be able to parse it and

Bug#909750: firefox tries to write to /usr/* directories

Package: firefox Version: 62.0.2-1 Severity: normal Tags: upstream Dear Maintainer, I am using Firefox confined with "unofficial" AppArmor profile, and noticed that this produces a lot of strange denials, as Firefox for unknown reason tries to write to the /usr/* directories, something to do

Bug#909750: firefox tries to write to /usr/* directories

Looks like Thunderbird behaves the same: ``` type=AVC msg=audit(1538066122.223:896): apparmor="DENIED" operation="mknod" profile="thunderbird" name="/usr/share/fonts/X11/encodings/large/.uuid.TMP-7ayDB6 " pid=9152 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ```

Bug#909750: firefox tries to write to /usr/* directories

Yep, same issue with Kate text editor, and yes, it's fontconfig: ``` Thread 1 "kate" hit Catchpoint 1 (returned from syscall openat), 0x75e42e69 in __libc_open64 (file=0x55930da0 "/usr/share/fonts/type1/gsfonts/.uuid", oflag=524288) at ../sysdeps/unix/sysv/linux/open64.c:47 47

Bug#883948: [pkg-apparmor] Bug#883948: apparmor: xdg-user-dirs should have localized directory names

I've started discussion in debian-i18n list, asking for guidance: https://lists.debian.org/debian-i18n/2019/01/msg0.html

Bug#918138: qtox: Add AppArmor profile

On 2019-01-04 14:05, Yangfl wrote: I'd love to see any improvement in program quality. As you're willing to create the AppArmor profile, I'd like to suggest you to directly submit your changes to upstream; just open a pr in their github repo https://github.com/qTox/qTox . I have mixed feelings

Bug#918138: qtox: Add AppArmor profile

On 2019-01-05 14:33, intrigeri wrote:> Vincas Dargis: intrigeri what's your take on this? Where should new profiles be "placed"? Having the policy live along with the software it confines, i.e. in the upstream VCS, is ideal, as long as upstream somewhat cares about it Yea

Bug#918138: qtox: Add AppArmor profile

https://github.com/qTox/qTox/issues/5484

Bug#919775: apparmor: AppArmor denies new mesa-related paths

Package: apparmor Version: 2.13.2-3 Severity: normal Tags: upstream patch Dear Maintainer, After recent Mesa updates on Sid, new denies are produced by some applicaitons: ``` type=AVC msg=audit(1547905564.212:523): apparmor="DENIED" operation="open" profile="supertuxkart"

Bug#919365: vlc: Desktop capture fails with "File exists"

Package: src:vlc Version: 3.0.6-0+deb9u1 Severity: normal Dear Maintainer, This is how I try to capture Desktop: * Launh VLC * Got to File -> Convert / Save -> Capture Devices * Select Desktop, enter 10fps, click Convert / Save button * Select Video - MPEG-2... (or different, doesn't matter) *

Bug#916999: smartmontools: Retry if raid device is locked by other process

Package: smartmontools Version: 6.5+svn4324-1 Severity: wishlist Tags: upstream Dear Maintainer, Using Areca official proprietary `cli64` [0] utility to check raidset/volume status (used by Nagios/Icinga monitoring tools) produces "conflict" with `smartctl`. Munin and smartd monitoring fails at

<    1   2   3   4   5   >