FS#64890 - [libakonadi] Akonadi's AppArmor profile needs some fixes

Attached to Project: Arch Linux
Opened by Borislav Gerassimov (slimmer) - Thursday, 19 December 2019, 12:24 GMT
Last edited by Antonio Rojas (arojas) - Thursday, 26 December 2019, 08:41 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Antonio Rojas (arojas)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
The current version of akonadi's AppArmor profile (contained in the libakonadi package) is broken due to changes in mariadb's conf file locations. Here are some errors:
AVC apparmor="DENIED" operation="mkdir" profile="/usr/bin/akonadiserver" name="/run/user/1000/akonadi/" pid=8547 comm="akonadiserver" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="exec" profile="/usr/bin/akonadiserver" name="/usr/bin/mysqld" pid=8554 comm="akonadiserver" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="exec" profile="/usr/bin/akonadiserver" name="/usr/bin/mysqld" pid=8555 comm="akonadiserver" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="open" profile="mysqld_akonadi" name="/etc/ssl/openssl.cnf" pid=8556 comm="mysqladmin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

The profiles attached fix the denials that don't allow akonadi to start (and a denial to read /etc/openssl.cnf, I think it's important?!?). There are two more but they are not critical for the startup and I don't know how/if they should be addressed:
AVC apparmor="DENIED" operation="open" profile="/usr/bin/akonadiserver" name="/dev/tty" pid=15275 comm="akonadiserver" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="open" profile="mysqld_akonadi" name="/sys/block/" pid=15280 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Additional info:
libakonadi 19.12.0-1
mariadb 10.4.11-1

Steps to reproduce:
1. Re-/Boot the computer (in order /run/user/... to be clean).
2. Run "akonadictl start"
3. "journalctl -b" to see what's wrong

Fix:
I've attached the two profiles that make things work again. Bear in mind that I'm in no way expert in AppArmor/Security, so they may need editing.
   usr.bin.akonadiserver (1.7 KiB)
   mysqld_akonadi (0.9 KiB)
This task depends upon

Closed by  Antonio Rojas (arojas)
Thursday, 26 December 2019, 08:41 GMT
Reason for closing:  Fixed
Additional comments about closing:  akonadi 19.12.0-3
Comment by nl6720 (nl6720) - Thursday, 19 December 2019, 12:26 GMT
https://phabricator.kde.org/D25964
Comment by Borislav Gerassimov (slimmer) - Thursday, 19 December 2019, 12:30 GMT
Great! Hope to be available in the package soon...

Loading...