touch-packages team mailing list archive

Thread
Date
[Bug 1293439] Re: Apparmor prevents icedtea-7-plugin from creating necessary files

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Thu, 26 Feb 2015 22:16:17 -0000
Reply-to: Bug 1293439 <1293439@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
So the particular denials from the kernel log for this bug would require
adding

   /run/user/1000/icedteaplugin-pseudo-*/ w,

to the /usr/lib/firefox/firefox{,*[^s][^h]} profile

However from the ask ubuntu question there is a larger problem

1st: You can manually put the sub profiles into complain mode by adding flags=(complain) to the profiles
eg.
  /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java  flags=(complain) {
     ...
  }


I took a pass through the DENIED messages in the ask ubuntu question and a first pass at the rules to add to /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk follows. Please note there may be more denied messages after these are added. Also you should check /var/log/syslog for denied messages because ubuntu has turned on extended dbus mediation and its denials do not go to the kernel ring buffer.  Also this profile should be reloaded to make sure the new rules are added.

   /usr/bin/logger Pix,  # choose transition that makes sense for your
profiles

   /proc/sys/net/ipv4/ip_local_port_range r,
   /proc/@{pid}/cmdline r,

   owner @{HOME}/.mozilla/firefox/profiles.ini r,
   owner /run/user/1000/dconf/user rw,
   owner /run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-to-appletviewer r,

   unix peer=(addr=@/tmp/dbus-* label=unconfined),

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1293439

Title:
  Apparmor prevents icedtea-7-plugin from creating necessary files

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  Apparmor prevents icedtea-7-plugin from creating
  /run/user/<UID>/icedteaplugin-<login>-<random>/, needed to work:

  Mar 17 10:48:52 ad2 kernel: [2831863.964092] type=1400
  audit(1395046132.183:851): apparmor="DENIED" operation="mkdir"
  parent=6425 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
  name="/run/user/1000/icedteaplugin-pseudo-7DURO0/" pid=30285 comm
  ="plugin-containe" requested_mask="c" denied_mask="c" fsuid=1000
  ouid=1000

  ~> lsb_release -rd
  Description:	Ubuntu 13.10
  Release:	13.10

  ~> apt-cache policy apparmor
  apparmor:
    Installed: 2.8.0-0ubuntu31.1
    Candidate: 2.8.0-0ubuntu31.1
    Version table:
   *** 2.8.0-0ubuntu31.1 0
          500 http://archive.ubuntu.com/ubuntu/ saucy-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       2.8.0-0ubuntu31 0
          500 http://archive.ubuntu.com/ubuntu/ saucy/main amd64 Packages

  ProblemType: Bug
  DistroRelease: Ubuntu 13.10
  Package: apparmor 2.8.0-0ubuntu31.1
  ProcVersionSignature: Ubuntu 3.11.0-15.25-generic 3.11.10
  Uname: Linux 3.11.0-15-generic x86_64
  ApportVersion: 2.12.5-0ubuntu2.2
  Architecture: amd64
  Date: Mon Mar 17 10:59:53 2014
  MarkForUpload: True
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.11.0-15-generic root=UUID=16001ea5-4e94-44ae-9838-da89b0f3f88e ro
  SourcePackage: apparmor
  Syslog:
   
  UpgradeStatus: Upgraded to saucy on 2013-09-10 (187 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1293439/+subscriptions