Ticket #166 (new task)

Opened 8 months ago

Last modified 5 months ago

Report /etc/krb5.conf apparmor issue upstream

Reported by: tabbott Owned by:
Priority: major Milestone: Upstream Utopia
Component: -- Keywords:
Cc: Upstream bug:  LP:132468  LP:203898

Description

r23642 introduced a workaround for apparmor complaints about /etc/krb5.conf being a symlink. We should report the issue upstream.

Change History

Changed 8 months ago by broder

  • component changed from dotfiles to default

Changed 8 months ago by geofft

 https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/132468
and
 https://bugs.launchpad.net/ubuntu/+source/openldap2.3/+bug/203898

are two cases where Ubuntu ran into this issue themselves. In the first case they added /var/run/resolvconf/resolv.conf to the AppArmor? profile; in the second case they switched to hardlinks. On the assumption that hardlinks are not an option for Debian diversions, what we're doing now (diverting and transforming the AppArmor? profile) appears to be what we should do.

dtchen, some dude on #ubuntu-devel, indicated that he was interested in seeing this too, so proposing something to upstream to solve this in general wouldn't be out of the question.

This is, though, slightly harder than "AppArmor? should follow symlinks" -- it is certainly the case that a program protected by AppArmor? that needs to write to a config file in your homedir _shouldn't_ follow symlinks, if it's able to create that file as a symlink to some arbitrary other place. Perhaps we can mark /etc/krb5.conf (being in a safe directory) as a file that is safe to follow symlinks through, with another AppArmor? permission.

Changed 5 months ago by jdreed

  • see_also set to LP:132468 LP:203898
  • milestone set to Upstream Utopia
Note: See TracTickets for help on using tickets.