Ubuntu
apparmor package

Apparmour doesnt support use of /etc/ssl/<servicename>

Bug #317109 reported by KarlGoetz
4
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
openldap2.3 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

Ubuntu 8.04
Slapd as shipped
Apparmour as shipped.

When attempting to configure slapd (OpenLDAP) to use SSL, I set its SSL path to /etc/ssl/slapd/ and placed the keys in there (as is standard for services at this site).

Apparmour caused slapd to fail to start, as it couldnt read the keys it needed.
While it was a simple job to add the path into the apparmour profile, finding the cause of the mystery failure took quite some time.

It would be great if /etc/ssl/<servicename> could be recognised by apparmour.

Related branches

lp:ubuntu/karmic/apparmor
Jamie Strandboge (jdstrand)
Changed in apparmor:
assignee: nobody → jdstrand
status: New → Confirmed
Changed in openldap2.3:
assignee: nobody → jdstrand
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I just check the apparmor profiles for Hardy, Intrepid and Jaunty, and they all have (after including the abstractions):
  #include <abstractions/ssl_certs>
  /etc/ssl/private/ r,
  /etc/ssl/private/* r,

This works out to:
  /etc/ssl/ r,
  /etc/ssl/certs/ r,
  /etc/ssl/certs/* r,
  /etc/ssl/private/ r,
  /etc/ssl/private/* r,

I think if this is going to be fixed, it should be fixed in the apparmor package, so am moving it there. The question then becomes, should /etc/apparmor.d/abstractions/ssl_certs become:
  /etc/ssl/ r,
  /etc/ssl/* r,

This would obviate the need for references to /etc/ssl/private/ (and abstractions/ssl_keys on Jaunty). What do people think?

Changed in openldap2.3:
assignee: jdstrand → nobody
status: Confirmed → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I meant to have:
  /etc/ssl/ r,
  /etc/ssl/** r,

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I just committed a fix for this to bzr and will be a part of the next upload to Jaunty.

Changed in apparmor:
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu8

---------------
apparmor (2.3+1289-0ubuntu8) jaunty; urgency=low

  * abstractions/ssl_keys: allow read access to all of /etc/ssl (LP: #317109)
  * utils/SubDomain.pm: re-add dropped patch to not process disable/ as
    include files, and also don't process force-complain/ (LP: #331534)

 -- Jamie Strandboge <email address hidden> Thu, 12 Mar 2009 12:53:08 -0500

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.