[Apparmor-general] usr.X11R6.bin.acroread causes error message
Crispin Cowan
crispin at novell.com
Thu Jan 11 20:51:22 MST 2007
John Johansen wrote:
> On Sat, Jan 06, 2007 at 03:36:25AM +0100, Malte Gell wrote:
>
>> Nevertheless I get this error:
>>
>> Jan 6 03:14:44 linux kernel: SubDomain: REJECTING link access
>> from /home/malte_gell/.adobe/Acrobat/7.0/Cert/curl-ca-bundle.crt to
>> /usr/X11R6/lib/Acrobat7/Reader/Cert/curl-ca-bundle.crt (acroread(32553)
>> profile /usr/X11R6/bin/acroread active /usr/X11R6/bin/acr
>> oread)
>>
> currently AA requires that
> 1. link being created has the l permission
> 2. the link and the target of the link have the same AA permissions
> (excluding the link permission)
>
> in this case 1. is satisfied but the link only has rw while the target
> has mixr, so AA won't allow this link to be created.
>
Hmmm. Normally, "just run logprof" is the way to get permissions
corrected so that AA will allow the rejected action. Logprof should see
the REJECT message and suggest amending permissions to allow what was
just blocked. But is logprof smart enough to figure this one out? Can it
discover that the problem is in the permissions mismatch between the
source rule and the destination rule?
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Hacking is exploiting the gap between "intent" and "implementation"
More information about the Apparmor-general
mailing list