There is precedence in /etc/apparmor.d/abstractions/base holding various rules
like these
$ grep etc_ro /etc/apparmor.d/abstractions/base
@{etc_ro}/locale/** r,
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
@{etc_ro}/bindresvport.blacklist r,
@{etc_ro}/ld.so.cache mr,
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
@{etc_ro}/ld-musl-*.path r,
I'd think the better fix is to allow it there.
Actually, base isn't the best.
I think it should go into /etc/apparmor.d/abstractions/crypto (which is
included by base)
If Adrien knows about similar, "whoever uses it should have read access to that
config to restrict it accordingly" config files we might want to add them all
in one block there.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056739
Title:
apparmor="DENIED" operation="open" class="file" profile="virt-aa-
helper" name="/etc/gnutls/config"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
