Update base abstraction for ld.so.conf and friends. (!62) · Merge requests · AppArmor / apparmor

Vincas Dargis requested to merge Talkless/apparmor:update-base-abstraction into master Jan 24, 2018

Fix denies for latest Thunderbird and Firefox on Debian Sid due to missing access to /etc/ld.so.conf and /etc/ld.so.conf.d/*.

First part of denies:

type=AVC msg=audit(1516811327.399:155): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/ld.so.conf" pid=2304 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1516814919.389:232): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/ld.so.conf" pid=12602 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

After allowing to read .conf file:

type=AVC msg=audit(1516815161.224:377): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf" pid=13236 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1516815161.224:378): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/ld.so.conf.d/zz_x32-biarch-compat.conf" pid=13236 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1516815161.224:379): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/ld.so.conf.d/i386-linux-gnu.conf" pid=13236 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1516815161.224:380): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/ld.so.conf.d/zz_i386-biarch-compat.conf" pid=13236 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
<and mutch more>

Partially fixes (not the main issue): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887973

Edited Jan 26, 2018 by Vincas Dargis

Update base abstraction for ld.so.conf and friends.

Merge request reports