Ticket #601 (closed defect: fixed)
apparmor homedirs should include /afs/athena/user/*/*/
Reported by: | geofft | Owned by: | gdb |
---|---|---|---|
Priority: | low | Milestone: | The Distant Future |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
I'm seeing this sort of thing in dmesg on debathena-workstation on Karmic:
[1092648.801173] type=1503 audit(1275579304.532:1014): operation="mknod" pid=12569 parent=1 profile="/usr/bin/evince" requested_mask="w::" denied_mask="w::" fsuid=40490 ouid=40490 name="/afs/athena.mit.edu/user/g/e/geofft/.recently-used.xbel.LUR1DV" [1092650.215497] type=1503 audit(1275579305.945:1015): operation="truncate" pid=12569 parent=1 profile="/usr/bin/evince" requested_mask="w::" denied_mask="w::" fsuid=40490 ouid=40490 name="/afs/athena.mit.edu/user/g/e/geofft/.gnome2/evince/ev-metadata.xml"
/etc/apparmor.d/usr.bin.evince uses @{HOME} in a couple of places, and includes, eventually, /etc/apparmor.d/tunables/home, which has the following two rules:
@{HOME}=@{HOMEDIRS}/*/ /root/ @{HOMEDIRS}=/home/
I think it makes sense to add Athena AFS homedir paths to @{HOMEDIRS}. But I'm kind of hesitant to suggest changes to AppArmor? config in general...
Change History
comment:3 Changed 14 years ago by andersk
- Summary changed from apparmor homedirs should include /afs/athena/user/*/*/*/ to apparmor homedirs should include /afs/athena/user/*/*/
For @{HOMEDIRS}, you mean /afs/athena.mit.edu/user/?/?/ and /afs/athena.mit.edu/user/other/, respectively. (Also /afs/sipb.mit.edu/user/ .)
Note: See
TracTickets for help on using
tickets.
It looks like Lucid at least has an /etc/apparmor.d/tunables/home.d that we could just drop a file into, although I have no doubt that doesn't go back as far as we'd like.
Either way, this would be a good thing to roll into the new debathena-apparmor-config package that gdb is working on.