Additional, after original denies are fixed up, running "ejabberctl help" for
example, net_admin cap is requested:
```
type=AVC msg=audit(1517059122.720:293): apparmor="DENIED" operation="capable" profile="/usr/sbin/ejabberdctl//su"
pid=4820 comm="su" capability=12 capname="net_admin"
Package: ejabberd
Version: 18.01-1
Severity: normal
User: pkg-apparmor-t...@lists.alioth.debian.org
Usertags: buggy-profile
Dear Maintainer,
After some update a flow of DENIED messages appears when ejabberd is starting,
with AppArmor profile enforced:
```
type=AVC
Is there a possibility to have 0.21 [0] release and backported to Jessie?
It uses HTTP-01 for apache and nginx plugins by default to workaround
TLS-SNI-01 issue [1].
[0] https://community.letsencrypt.org/t/certbot-0-21-0-release/50725
[1]
On 1/28/18 5:56 PM, Carsten Schoenert wrote:
If I did something wrong in preparing it, please feel free to close
MR and add patch yourself, I don't want to miss this weekends
deadline by learning how to prepare patches properly.
no problem, I've taken your commit (as you are the author of the
On 1/28/18 6:56 PM, Carsten Schoenert wrote:
Would we place the apparmor profile for Thunderbird in the top directory
then we have no other possibility than to add this by a patch.
...
And to not complicate things even more it's common case to place things
that are not upstream but needed or
I believe this issue can be marked as done.
On Thu, 11 Jan 2018 10:11:07 +0100 Urs Schroffenegger
wrote:
Jan 11 09:06:18 flare kernel: [60207.044643] audit: type=1400
audit(1515657978.983:138): apparmor="DENIED" operation="file_mmap"
profile="thunderbird" name="/tmp/.glXWcTtR" pid=534 comm="thunderbird"
On 2/16/18 8:08 PM, Rene Engelhard wrote:
On Fri, Feb 16, 2018 at 08:48:06AM -0700, Thomas Vaughan wrote:
Feb 15 17:41:31 foo-machine kernel: [85508.697711] kauditd_printk_skb:
8 callbacks suppressed
Feb 15 17:41:31 foo-machine kernel: [85508.697712] audit: type=1400
audit(1518741691.452:20):
Package: salt-master
Version: 2017.7.3+dfsg1-1
Severity: important
Dear Maintainer,
After recent upgrade in Sid I've noticed that `salt` cannot execute commands due
to permissions issues:
```
root@debian-sid:/media/cdrom# salt "*" test.ping
Failed to authenticate! This is most likely because
VLC 3.0.0 entered Testing, and Dragon and Amarok started to crash.
Could it have been possible to kinda stop VLC upload because some depended
packages breaks? That would be nice in this case.
Uhm, why this bug was marked as Done?
I have just upgraded some Jessie machine and got error (as expected) during
upgrade:
```
AppArmor parser error for /etc/apparmor.d/usr.bin.thunderbird in /etc/apparmor.d/usr.bin.thunderbird at line 12: syntax
error, unexpected TOK_SET_VAR, expecting
Package: libreoffice-common
Version: 1:6.1.0~rc2-3
Severity: normal
Tags: upstream
User: pkg-apparmor-t...@lists.alioth.debian.org
Usertags: modify-profile
Dear Maintainer,
I got this deny:
```
type=AVC msg=audit(1533391970.983:584): apparmor="DENIED" operation="open"
On 8/4/18 6:22 PM, intrigeri wrote:
or else maybe we could backport `mesa` abstraction into AppArmor
2.13?
Why not. Create a MR or file a bug against src:apparmor?
Cool, I will work on MR. "Why not" could be "don't want to manage backports too
much" :) .
Package: libreoffice-common
Version: 1:6.1.0~rc2-3
Severity: normal
Tags: upstream
Dear Maintainer,
I cannot save files when AppArmor profile is in enforce mode:
```
type=AVC msg=audit(1533396515.983:974): apparmor="DENIED"
operation="mknod" profile="libreoffice-soffice"
On 8/4/18 6:39 PM, intrigeri wrote:
Vincas Dargis:
Also, some temporary files like
"usr.lib.libreoffice.program.soffice.binc3d3lu5x~"
are left when aa-enforce fails:
Could you please report a bug upstream
(https://bugs.launchpad.net/apparmor/+filebug)
or worst case a ded
intrigeri, could we get opencl abstractions in 2.13, or we are expecting to get
AppArmor 3 in Buster?
BTW I have proposed update to use `dri-enumerate` abstraction and remove
backported rule:
https://gerrit.libreoffice.org/#/c/58589/
intrigeri, are we getting AppArmor 3 in Buster, or else maybe we could backport `mesa` abstraction
into AppArmor 2.13?
Also, some junk files (like `usr.lib.libreoffice.program.soffice.binzrz7ukcd~`)
are left over:
```
$ ls usr.lib.libreoffice.program.soffice.bin*
usr.lib.libreoffice.program.soffice.bin
$ sudo aa-enforce usr.lib.libreoffice.program.soffice.bin
Setting
Also, some temporary files like "usr.lib.libreoffice.program.soffice.binc3d3lu5x~" are left when
aa-enforce fails:
```
$ sudo aa-enforce /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin
Setting /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to enforce mode.
ERROR: Path doesn't
On Sat, 04 Aug 2018 23:21:19 +0800 intrigeri wrote:
> BTW I have proposed update to use `dri-enumerate` abstraction and remove
backported rule:
> https://gerrit.libreoffice.org/#/c/58589/
If I'm supposed to act on this, please clarify what I should do,
otherwise ignore this sentence.
Sorry
Sadly, `PRIMUS_UPLOAD=1 primusrun glxgears` does not work any more, also
segfaults:
Thread 2 "glxgears" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f3a8041c700 (LWP 12698)]
0x7f3a8152b2ef in do_blit_drawpixels (pixels=0x0, unpack=0x7f3a78150598, type=5121,
On 8/6/18 11:54 PM, Rene Engelhard wrote:
On Sat, Aug 04, 2018 at 05:50:35PM +0300, Vincas Dargis wrote:
BTW I have proposed update to use `dri-enumerate` abstraction and remove
backported rule:
https://gerrit.libreoffice.org/#/c/58589/
As I said upstream I am not sure about this upstream
On Mon, 16 Jul 2018 16:03:01 +0100 Nuno Oliveira wrote:
Hi Vincas, Carsten,
While you are at it, you might as well consider this extra line which
appeared latter:
/var/lib/xine/gxine.desktop r,
Nuno, could you give me a hint on how to reproduce this? I can't even find package that would
Control: fixed -1 18.1.6-1
It started working with 18.1.6-1 update!
n 8/7/18 1:55 PM, Rene Engelhard wrote:
Sorry, apparently didn't read fully the first time I read this mail.
Really $HOME? I would be surprised.
I know there's lu??.tmps in /tmp (or $TMPDIR) but $HOME?
Did you set TMPDIR=$HOME?
No, TMPDIR is not set. LO additionally tries to save
Why is this bug marked as Done?
Issue still persists with 4.17.0-2-amd64 on ASUS N551JM laptop.
If users (upgrading from Strech) are expected to execute these workarounds, maybe there should be
NEWS entry of some sort?
On Mon, 20 Aug 2018 15:16:52 -0700 Vagrant Cascadian wrote:
One "armmp-lpae" system appears to have successfully booted, but gets
many kernel messages along these lines:
[ 78.638348] INFO: rcu_sched detected stalls on CPUs/tasks:
[ 78.642433] 0-...: (0 ticks this GP) idle=29c/0/0
On 8/22/18 7:35 AM, Salvatore Bonaccorso wrote:
armhf packages:
https://people.debian.org/~carnil/tmp/linux/armhf/
armmp-lpae works fine on Odroid-HC1 SBC (Samsung Exynos5422 ARM® Cortex™-A15 Quad 2.0GHz/Cortex™-A7
Quad 1.4GHz)
On Sun, 26 Aug 2018 10:58:50 +0200 Kamil Jonca wrote:
After last upgrade of apparmor, soffice command end with error, and in log we
can see:
audit: type=1400 audit(1535272402.067:422): apparmor="ALLOWED" operation="exec" info="profile transition not found"
Upstream bug report has been marked as "Out of scope".
So what now, libqt5core5 package must depend on haveged? :)
(or Qt recompiled without getentropy() ?)
Package: minissdpd
Version: 1.5.20180223-2
Severity: normal
Dear Maintainer,
I've discovered that syslog contains lots of "Address already in use"
messages:
```
-- Logs begin at Sat 2018-07-14 19:49:37 EEST, end at Sat 2018-07-14
21:08:02 EEST. --
liep. 14 19:49:42 vinco systemd[1]: Starting
Package: cpqarrayd
Version: 2.3.5+b1
Severity: normal
Dear Maintainer,
I've installed Debian Stretch on a bit old DL380 G6 server, and tried to
use cpqarrayd to monitor RAID status, but logs shows that controller is
not found:
```
Jul 17 16:28:13 dl380 systemd[1]: Starting LSB: Start/Stop
Control: user pkg-apparmor-t...@lists.alioth.debian.org
Control: usertag -1 +modify-profile
On Mon, 16 Jul 2018 16:58:24 +0200 Carsten Schoenert
wrote:
Hello Vincas,
may I point you to this report?
Sure!
On Mon, Jul 16, 2018 at 12:45:49PM +0100, Nuno Oliveira wrote:
> Actually, better
Package: clamav-freshclam
Version: 0.100.0+dfsg-0+deb9u2
Severity: minor
Control: user pkg-apparmor-t...@lists.alioth.debian.org
Control: usertag -1 platform
Dear Maintainer,
I've discovered DENIED message that appears (apparently) only first time
after clamav is installed:
```
type=AVC
This doesn't seem to reproduce on Sid though.
On Sun, 17 Jun 2018 16:36:39 +0200 intrigeri wrote:
Vincas Dargis:
> linux-compiler-gcc-7-x86 needs gcc-7 that is not available?
For Tails we work this around with equivs:
https://git-tails.immerda.ch/tails/tree/config/chroot_local-hooks/12-kernel-modules-build-environment
I've mana
On 7/22/18 3:48 PM, intrigeri wrote:
Hi Vincas,
Vincas Dargis:
I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I did
not see
any immediate problems with some lightweight testing.
Great.
Both on Stretch, right?
Yes.
Did you disable feature-set pinning entirely
On 7/22/18 3:19 PM, intrigeri wrote:
Vincas Dargis:
Now that "/sys/devices/system/memory/block_size_bytes r," needs simple
backport, as
is is already available in more recent AppArmor [0].
Unless this denial triggers important user-visible issues, I say let's
ignore it f
On Tue, 24 Jul 2018 18:38:49 +0800 intrigeri wrote:
John answered my question on IRC:
- "you can't yet. You will need an apparmor 3.0 beta which keeps
getting delayed"
Aawww.. Anyway, good to know :) .
On Mon, 7 May 2018 06:40:36 +0200 "Sten Heinze" wrote:> I definitely experience a much
shorter delay if I press keys on the keyboard vs. doing nothing; the delay decreases from >5 minutes
to 10-20 seconds before sddm appears.
Yes! I have same problem, thought not with 4.16, but with 4.17. If
I have discovered same issue with symlinks in ISO's on Debian Stretch.
firmware-9.5.0-amd64-netinst.iso iso image is extracted without firmware
package symlinks (/firmware directory is empty). Had to migrate to bsdtar..
Are there any workarounds for this issue? Seems same problem as discovered on Kbuntu 18.04 that
FreeCAD crashes when importing from SVG file.
On 9/7/18 5:55 PM, Carsten Schoenert wrote:
Hello Vincas, hello Simon,
seems this is the first report against TB 60 related to AppArmor. ;)
Can have please a look on this?
(Including the needed BTS tagging)
Yep just noticed this too, probably the core issue is denying to launch:
On Sat, 16 Sep 2017 19:45:27 +0100 Luca Boccassi
wrote:
Hopefully one day, before I retire, Nvidia will provide a supported
dynamic offload functionality... There is at least talk of a server
side glvnd-like implementation, so there's hope.
Yes, it would be very nice to have Nvidia working
On Mon, 9 Jul 2018 05:32:06 +0200 Andreas Beckmann wrote:
Is this still an issue with the latest driver (390.67) available in sid,
buster, and (soon) stretch-backports?
I believe this bug has been fixed. This is quite old bug, I simply forgot that it even existed.
Sorry for that.
THOUGH,
Looks like there is much simpler workaround:
PRIMUS_UPLOAD=1 primusrun glxgears
Works for wine too.
Thanks to Reddit user huttukuttu! [0]
[0]
https://www.reddit.com/r/debian/comments/8wu8t8/bumblebee_causes_segfault_in_i965_driso/e1ywduu
On 1/22/18 10:31 PM, Andreas Beckmann wrote:
On 2018-01-22 20:39, Vincas Dargis wrote:
It looks like some shared code actually wanted to create $HOME + / + .nv
directory, though accidentally skipped a slash.
Some nvidia driver components use ~/.nv/ as temporary storage, sounds
like something
Package: nvidia-driver
Severity: normal
Dear Maintainer,
Some appliactions that has AppArmor profile defined produces DENIED log
entries for strange `/home/vincas.nv/` paths:
```
type=AVC msg=audit(1516647002.968:744): apparmor="DENIED"
operation="mkdir" profile="thunderbird"
Sorry, I've pasted wrong log entry in my last message. Here's the right one:
```
type=AVC msg=audit(1516649672.198:1036): apparmor="DENIED" operation="mkdir" profile="wine-preloader"
name="/home/vincas.nv/" pid=31808 comm="gldriverquery64" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
On 2018-01-21 20:33, Rene Engelhard wrote:
Want to do a MR or should I just backport the patch myself?
I would like to try to backport it within upcoming week.
On 2018-01-22 15:00, Carsten Schoenert wrote:
dmesg output:
Jan 22 11:56:14 webdev kernel: [13770.507112] audit: type=1400 audit(1516618574.570:3738): apparmor="DENIED" operation="open"
profile="thunderbird" name="/etc/ld.so.conf" pid=20508 comm="thunderbird" requested_mask="r"
denied_mask="r"
Package: nvidia-nonglvnd-vulkan-common
Version: 390.25-2
Severity: normal
Dear Maintainer,
Running `optirun vulkaninfo` on switching GM107M [GeForce GTX 860M] outputs
this:
```
ERROR: [loader] Code 0 : loader_scanned_icd_add: Attempt to retrieve
either 'vkGetInstanceProcAddr' or
There is new PR, does this fix the issue?
https://github.com/Oslandia/SFCGAL/pull/157
Package: thunderbird
Version: 1:60.0~b2-1
Severity: normal
Tags: upstream
User: pkg-apparmor-t...@lists.alioth.debian.org
Dear Maintainer,
AppArmor profile denies access to paths like
`/sys/devices/pci:00/:00:02.0/{vendor,device,uevent,...}`:
```
type=AVC msg=audit(1523552674.105:410):
On Thu, 5 Apr 2018 09:47:52 -0300 Agustin Henze wrote:
@@ -248,6 +248,7 @@
owner @{HOME}/.gnupg/trustdb.gpg rw,
owner @{HOME}/.gnupg/S.gpg-agent rw,
owner @{HOME}/.gnupg/S.dirmngr rw,
+owner @{HOME}/.gnupg/tofu.db rwl,
owner
Woohoo!
What's next left, DBus?
On 4/20/18 11:45 AM, intrigeri wrote:
Linux v4.17-rc1 now supports basic socket mediation, which will allow
us to close this bug report:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56974a6fcfef69ee0825bd66ed13e92070ac5224
:)
Package: src:salt
Version: 2017.7.4+dfsg1-1
Severity: important
Dear Maintainer,
It seems that due to #893360 salt-master and salt-minion cannot be
installed.
salt-master depends on python3-zmq, meanwhile salt-common depends on
python3-tornado.
Since tornado breaks zmq (as in bug mentioned
rollopack, we have bug about having "proper" Firefox profile:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858174
Ubuntu Firefox _package_ project has profile that is updated time to
time, you can try that:
Control: tags -1 -pending
On 3/29/18 8:20 PM, intrigeri wrote:
Hi,
Vincas Dargis:
I do not see the need for migration of any kind. @{thunderbird_user_dirs} will
be set
to @{HOME}, so _by default profile will work the same as before_.
OP of this bug report will be able to extend
On 3/26/18 7:16 PM, Carsten Schoenert wrote:
I haven't much time for this right now, so I've disabled the
crashreporter for now because it's not that useful without the symbols
uploaded to Mozilla.
OK, thanks for explanation!
I have installed thunderbird 58.0~b3-1 from experimental and
thunderbird-dbgsym from experimental-debug, and I am pretty sure that
debug symbols are there.
This is gdb backtrace when I send `killall -SIGSEGV thunderbird`:
```
Thread 1 "thunderbird" received signal SIGSEGV, Segmentation fault.
On 3/17/18 7:28 PM, Luca Boccassi wrote:> Optirun never supported
Vulkan. That's a know missing feature, and I
don't think it will be implemented any time soon.
Oh, that's unfortunate.
So laptop users has to move away from switchable graphics and have
NVIDIA running all the time in order to
After latest update, I no longer see errors with `vulkaninfo` and
`vulkan-smoketest`, though for some reason it seems that it's running
Mesa graphics with `optirun vulkaninfo-smoketest`, not NVIDIA:
```
$ optirun vulkan-smoketest
INTEL-MESA: warning: Haswell Vulkan support is incomplete
On Fri, 16 Feb 2018 08:48:06 -0700 Thomas Vaughan
wrote:
I see that this bug is closed, but I see something similar in my
system log. I am running Debian unstable updated as of yesterday. It
seems that libreoffice is trying to make use of OpenCL, and I have a
couple of
On 3/4/18 1:52 PM, Rene Engelhard wrote:
On Sat, Mar 03, 2018 at 03:10:45PM +0200, Vincas Dargis wrote:
I'm on switching laptop (Intel + NVIDIA). Maybe I have to enable OpenCL for
Libreoffice somehow?
Tools->Options-OpenCL. Though that setting doesn't persist here,
probably because LO noti
On 3/4/18 1:52 PM, Rene Engelhard wrote:
Tools->Options-OpenCL. Though that setting doesn't persist here,
probably because LO notices I don't have a working OpenCL config..
After some testing, it seems that OpenCL option persist for me only if I
launch LO through `optirun` command, that
On Mon, 11 Jun 2018 20:20:18 +0300 =?ISO-8859-1?Q?R=E9mi?=
Denis-Courmont wrote:
You either have to use libav, or a more recent FFmpeg, or manually turn off
threaded decoding in VLC preferences.
Whatn FFmpeg version I should build VLC with for threading to work, can
I simply grab the latest
On Thu, 28 Jun 2018 09:42:41 +0200 Benjamin Drung
wrote:
Am Samstag, den 16.06.2018, 22:02 +0300 schrieb Vincas Dargis:
> 2017.7.6 is released now [0], could this fix the issue?
>
> [0] https://docs.saltstack.com/en/latest/topics/releases/2017.7.6.html
Sadly no, since we use
On 6/29/18 2:51 PM, Rémi Denis-Courmont wrote:
Le jeudi 28 juin 2018, 18:52:46 EEST Vincas Dargis a écrit :
On Mon, 11 Jun 2018 20:20:18 +0300 =?ISO-8859-1?Q?R=E9mi?=
Denis-Courmont wrote:
You either have to use libav, or a more recent FFmpeg, or manually turn
off threaded decoding in VLC
I believe I would just revert that change which introduced variable in profile
name.
It was just a way to reduce small duplication, it's not critical at all. Change was made in the
spirit of "RFC: using variables to make profiles more flexible" tread [0], but looks like we just
need to wait a
Package: munin-plugins-core
Version: 2.0.37-1~bpo9+1
Severity: normal
Dear Maintainer,
I have upgraded munin from sretch-backports, to overcome incompatibilites with
PostgreSQL 10:
```
# apt-cache policy munin-node munin-plugins-core | fgrep Installed
Installed: 2.0.37-1~bpo9+1
Installed:
On 2018-10-30 20:59, intrigeri wrote:
Vincas Dargis:
intrigeri, what is rationale for upping it to "normal"?
What do you mean? Today I merely tagged this bug "upstream".
Oh, sorry, right, it was changed from wishlist to normal in "Sun, 29 Oct 2017 11:21:06 GM
intrigeri, what is rationale for upping it to "normal"?
Maybe you would like/expect to have it in Buster? Maybe some one plans to upstream Ubuntu profile,
etc. :)
I would really like to have it, but looking at Thunderbird experience, we kinda lack abstractions
for launching almost arbitrary
This deny does reproduce on Stretch too, but not on Jessie.
I guess I could just provide backport for Salsa repository for Stretch, as it is irrelevant for
Buster or any new release, as it's fixed in newer AppArmor itself.
On Wed, 24 Oct 2018 01:14:54 +0200 Lars Kruse wrote:
Could you please check whether reverting the changes introduced with
https://github.com/munin-monitoring/munin/commit/d7e138176e9a09b883031544e523e33e5ef9238b
would fix this issue for you?
Yes, commenting out "paramdatabase" line in _locks
Control: tags -1 +patch
Control: forwarded -1 https://gitlab.com/apparmor/apparmor/merge_requests/62
On Wed, 19 Sep 2018 19:10:48 +0200 intrigeri wrote:
> It appears that Thunderbird now needs access to /etc/ld.so.conf on
> Stretch, while AppArmor profile does not allow that:
What's the
On Mon, 29 Oct 2018 20:32:21 +0200 Vincas Dargis wrote:
Looks like I've already fixed it some time ago:
Although, that's only for latest AppArmor, meanwhile it will not help for Debian Stable releases. On
the over hand, maybe deny is introduced by some newer library, which is only available
On Fri, 9 Nov 2018 14:25:12 +0100 Jakub Wilk wrote> It's
still reproducible for me:
$ strace -o '| grep -w EACCES' /usr/lib/firefox-esr/firefox-bin
...
openat(AT_FDCWD, "/usr/share/fonts/truetype/mononoki/.uuid.TMP-lrzetE",
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES
This is the content of file:
```
# cat /usr/lib/tmpfiles.d/munin-node.conf
# keep in sync with debian/munin.munin-(node|async).init (non-systemd)
d /run/munin 0755 munin munin
d /var/log/munin 0755 munin adm
```
Package: munin-node
Version: 2.0.42-5~bpo9+1
Severity: minor
Dear Maintainer,
After upgrading to 2.0.42-5 from backports, logcheck on multiple Stretch
machines started to capture this new message:
```
Nov 14 22:25:04 dl380 systemd-tmpfiles[13769]:
[/usr/lib/tmpfiles.d/munin-node.conf:2]
Control: fixed -1 2.13.1-2
I cannot reproduce this any more, thanks!
Ping?
We have now mesa abstraction in Buster that fixes this bug... but so what? I guess I'll have to add
yet another [0] backport to upstream profile because it exists not only for Buster...
I am thinking to propose LibreOffice upstream to split profile into apparmor-x.yz directories to
match
https://salsa.debian.org/mozilla-team/thunderbird/merge_requests/2
I am removing variable usage in Thunderbird profile name:
https://gitlab.com/apparmor/apparmor-profiles/merge_requests/31
Freecad crashes while importing any .svg:
1. Open Inkscape
2. Save to "drwing.svg" or whatever (yes, empty file)
3. Launch Freecad
4. File -> New
5. File -> Import -> select drawing.svg -> check "SVG as geometry" -> Select ->
Crash happens:
```
Thread 1 "freecad" received signal SIGSEGV,
Running `sudo fc-cache -f` didn't helped.
On 9/19/18 8:10 PM, intrigeri wrote:
It appears that Thunderbird now needs access to /etc/ld.so.conf on
Stretch, while AppArmor profile does not allow that:
What's the practical effect of this denial, if any?
I haven't noticed any negative effects so far.
I believe the "perfect" solution would be to implement a child profile, that would allow only to
launch browsers, as as far as I can see, only links (not attachments) are opened with this new gio
helper.
Consider:
```
...
/usr/lib/@{multiarch}/glib-[0-9].[0-9]/gio-launch-desktop Cx ->
On Thu, 20 Sep 2018 16:53:44 -0400 Anthony DeRobertis wrote> would make sense
to allow a mail program to read ~/.mailcap (and execute
the programs found there, no idea how that's done in apparmor)
Allowing to read that file will be trivial, but AppArmor will not be able to parse it and
Package: firefox
Version: 62.0.2-1
Severity: normal
Tags: upstream
Dear Maintainer,
I am using Firefox confined with "unofficial" AppArmor profile, and
noticed that this produces a lot of strange denials, as Firefox for
unknown reason tries to write to the /usr/* directories, something to do
Looks like Thunderbird behaves the same:
```
type=AVC msg=audit(1538066122.223:896): apparmor="DENIED" operation="mknod" profile="thunderbird"
name="/usr/share/fonts/X11/encodings/large/.uuid.TMP-7ayDB6
" pid=9152 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
```
Yep, same issue with Kate text editor, and yes, it's fontconfig:
```
Thread 1 "kate" hit Catchpoint 1 (returned from syscall openat), 0x75e42e69 in __libc_open64
(file=0x55930da0 "/usr/share/fonts/type1/gsfonts/.uuid", oflag=524288) at
../sysdeps/unix/sysv/linux/open64.c:47
47
I've started discussion in debian-i18n list, asking for guidance:
https://lists.debian.org/debian-i18n/2019/01/msg0.html
On 2019-01-04 14:05, Yangfl wrote:
I'd love to see any improvement in program quality. As you're willing
to create the AppArmor profile, I'd like to suggest you to directly
submit your changes to upstream; just open a pr in their github repo
https://github.com/qTox/qTox .
I have mixed feelings
On 2019-01-05 14:33, intrigeri wrote:> Vincas Dargis:
intrigeri what's your take on this? Where should new profiles be
"placed"?
Having the policy live along with the software it confines, i.e.
in the upstream VCS, is ideal, as long as upstream somewhat cares
about it
Yea
https://github.com/qTox/qTox/issues/5484
Package: apparmor
Version: 2.13.2-3
Severity: normal
Tags: upstream patch
Dear Maintainer,
After recent Mesa updates on Sid, new denies are produced by some
applicaitons:
```
type=AVC msg=audit(1547905564.212:523): apparmor="DENIED"
operation="open" profile="supertuxkart"
Package: src:vlc
Version: 3.0.6-0+deb9u1
Severity: normal
Dear Maintainer,
This is how I try to capture Desktop:
* Launh VLC
* Got to File -> Convert / Save -> Capture Devices
* Select Desktop, enter 10fps, click Convert / Save button
* Select Video - MPEG-2... (or different, doesn't matter)
*
Package: smartmontools
Version: 6.5+svn4324-1
Severity: wishlist
Tags: upstream
Dear Maintainer,
Using Areca official proprietary `cli64` [0] utility to check
raidset/volume status (used by Nagios/Icinga monitoring tools) produces
"conflict" with `smartctl`. Munin and smartd monitoring fails at
201 - 300 of 469 matches
Mail list logo