Bug #15965
AppArmor logs denials for access to /usr/local/share/mime
100%
Description
This creates lots of noise in the logs which makes it harder to develop, debug, and analyze bug reports.
I think this is a regression brought by the VeraCrypt work which created that directory.
IIRC the freedesktop.org
abstraction was updated upstream to support these paths => we should backport this.
Subtasks
History
#1 Updated by segfault 2018-09-26 18:27:49
- Assignee changed from segfault to intrigeri
- QA Check set to Info Needed
You are right, this is fixed upstream by allowing access to @{system_share_dirs}/mime/**
instead of only /usr/share/mime/**
. @{system_share_dirs}
is defined in tunables/share
, which is imported in tunables/global
.
I’m wondering whether we want our patch to be closer to upstream, i.e. also create tunables/share
and import it in tunables/global
, or if we prefer our patch to be smaller, i.e. just change /usr/share/mime**
to /usr/{local/,}share/mime/**
in abstractions/freedesktop.org
.
#2 Updated by intrigeri 2018-09-27 13:31:25
- Assignee changed from intrigeri to segfault
- QA Check deleted (
Info Needed)
segfault wrote:
> You are right, this is fixed upstream by allowing access to @{system_share_dirs}/mime/**
instead of only /usr/share/mime/**
. @{system_share_dirs}
is defined in tunables/share
, which is imported in tunables/global
.
>
> I’m wondering whether we want our patch to be closer to upstream, i.e. also create tunables/share
and import it in tunables/global
, or if we prefer our patch to be smaller, i.e. just change /usr/share/mime**
to /usr/{local/,}share/mime/**
in abstractions/freedesktop.org
.
tunables/share
was introduced to support Flatpak directories. I don’t think we need to backport that complexity.
#3 Updated by segfault 2018-10-07 20:02:56
- % Done changed from 0 to 10
- Feature Branch set to bugfix/15965-fix-apparmor-spamming-log
I pushed a commit, but I can’t test it right now because of Bug #16032.
#4 Updated by segfault 2018-10-14 15:01:25
- Status changed from Confirmed to In Progress
Applied in changeset commit:a49357af58b3f8a6dd83ffe20746967a749f976a.
#5 Updated by segfault 2018-10-14 17:25:26
- Assignee changed from segfault to intrigeri
- QA Check set to Ready for QA
Tested it, seems to work
#6 Updated by intrigeri 2018-10-15 08:46:33
- Assignee changed from intrigeri to segfault
- QA Check changed from Ready for QA to Dev Needed
/usr/{local/},share/mime
(alternation with a single candidate) is equivalent to/usr/local/,share/mime
(litteral path) so I don’t know how it can work. I guess you meant/usr/{local/,}share/mime
. Are you sure you tested commit:a49357af58b3f8a6dd83ffe20746967a749f976a, as opposed to a locally fixed version that you forgot to push?- Please rebase the branch on stable so we can fix this without waiting for the next major release in 3 months :)
#7 Updated by segfault 2018-10-15 19:50:56
- Assignee changed from segfault to intrigeri
- QA Check changed from Dev Needed to Ready for QA
intrigeri wrote:
> * /usr/{local/},share/mime
(alternation with a single candidate) is equivalent to /usr/local/,share/mime
(litteral path) so I don’t know how it can work. I guess you meant /usr/{local/,}share/mime
. Are you sure you tested commit:a49357af58b3f8a6dd83ffe20746967a749f976a, as opposed to a locally fixed version that you forgot to push?
> * Please rebase the branch on stable so we can fix this without waiting for the next major release in 3 months :)
Fixed
#8 Updated by intrigeri 2018-10-16 08:18:17
- % Done changed from 10 to 60
Code review passes! Testing.
#9 Updated by intrigeri 2018-10-16 09:23:03
- Status changed from In Progress to Fix committed
- Assignee deleted (
intrigeri) - % Done changed from 60 to 100
- QA Check changed from Ready for QA to Pass
Merged.
#10 Updated by CyrilBrulebois 2018-10-24 11:19:00
- Status changed from Fix committed to Resolved