(X)ubuntu AppArmor permission problem

Asked by A. Denton on 2009-06-12

Hello!

- I configured Xubuntu's AppArmor to my needs and installed the package with additional rules. I also started to create one for the "/usr/bin/wineserver process since I think that needs to be secured too.

LOCATION: /etc/apparmor.d/usr.bin.wineserver
MODE : complain

# Last Modified: Wed Jun 10 19:21:16 2009
#include <tunables/global>
/usr/bin/wineserver flags=(complain) {
  #include <abstractions/base>

  capability net_bind_service,

  /usr/bin/wineserver mr,
  /etc/nsswitch.conf r,
  /etc/passwd mr,
  /etc/ld.so.cache r,
  /home/denton/.desktop/* r,
  /home/denton/.ies4linux/ie6/* rw,
  /home/denton/.ies4linux/ie6/dosdevices/c: r,
  /home/denton/.ies4linux/ie6/drive_c/** rw,
  /lib/ld-2.7.so mr,
  /lib/tls/i686/cmov/libc-2.7.so mr,
  /lib/tls/i686/cmov/libdl-2.7.so mr,
  /lib/tls/i686/cmov/libnss_compat-2.7.so mr,
  /lib/tls/i686/cmov/libnsl-2.7.so mr,
  /lib/tls/i686/cmov/libnss_nis-2.7.so mr,
  /lib/tls/i686/cmov/libnss_files-2.7.so mr,
  /tmp/.wine-1000/** mr,
  /usr/lib/libwine.so.1.0 mr,
}

- Unfortunately the log under "/var/log/audit/audit.log" provides me with that output:

type=APPARMOR_ALLOWED msg=audit(1244837586.256:7): type=1502 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/home/denton/.ies4linux/ie6/" pid=5630 profile="/usr/bin/wineserver" namespace="default"

type=APPARMOR_ALLOWED msg=audit(1244837586.256:8): type=1502 operation="inode_mkdir" requested_mask="w::" denied_mask="w::" name="/tmp/.wine-1000/" pid=5630 profile="/usr/bin/wineserver" namespace="default"

type=APPARMOR_ALLOWED msg=audit(1244837586.256:9): type=1502 operation="inode_mkdir" requested_mask="w::" denied_mask="w::" name="/tmp/.wine-1000/server-806-384047/" pid=5630 profile="/usr/bin/wineserver" namespace="default"

type=APPARMOR_ALLOWED msg=audit(1244837586.256:10): type=1502 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/tmp/.wine-1000/server-806-384047/lock" pid=5631 profile="/usr/bin/wineserver" namespace="default"

type=APPARMOR_ALLOWED msg=audit(1244837586.256:11): type=1502 operation="file_lock" requested_mask="wk::" denied_mask="wk::" name="/tmp/.wine-1000/server-806-384047/lock" pid=5631 profile="/usr/bin/wineserver" namespace="default"

etc.

Does someone know why it complains about e.g. «equested_mask="r::" denied_mask="r::" name="/home/denton/.ies4linux/ie6/» although «/home/denton/.ies4linux/ie6/* rw,» is set in my profile?

I appreciate every help. Thanks!

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu apparmor Edit question
Assignee:
No assignee Edit question
Solved by:
Steve Beattie
Solved:
2009-06-15
Last query:
2009-06-15
Last reply:
2009-06-15
Best Steve Beattie (sbeattie) said : #1

You need to add:

  /home/denton/.ies4linux/ie6/ r,

to your wineserver policy, as '/home/denton/.ies4linux/ie6/* rw,' matches anything in that directory, but not the directory itself.

A. Denton (aquina) said : #2

Thanks Steve Beattie, that solved my question.