[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: [apparmor] [Bug 767308] Re: Apparmor SSL abstraction does not allow read access to /usr/local/share/
From: Steve Beattie <sbeattie () ubuntu ! com>
Date: 2012-04-07 0:18:40
Message-ID: 20120407001840.6578.51331.malone () soybean ! canonical ! com
[Download RAW message or body]
This was fixed in trunk commit rev 1736 and released in 2.7.0.
** Changed in: apparmor
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/767308
Title:
Apparmor SSL abstraction does not allow read access to
/usr/local/share/ca-certificates
Status in AppArmor Linux application security framework:
Fix Released
Status in "apparmor" package in Ubuntu:
Fix Released
Bug description:
Binary package hint: apparmor
Adding a custom CA certificate to /usr/local/share/ca-certificates and
registering it using /usr/sbin/update-ca-certificates, daemon that
have been apparmor-ified (such as slapd) cannot access the custom CA
certificate.
Below is an example using slapd on lucid:
ubuntu@directory:~$ sudo service slapd start
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).
Below, you can find the command line options used by this script to
run slapd. Do not forget to specify those options if you
want to look to debugging output:
slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/
ubuntu@directory:~$ tail -5 /var/log/syslog
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: @(#) $OpenLDAP: slapd 2.4.21 (Mar 30 \
2011 16:20:36) $#012#011buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: main: TLS init def ctx failed: -1
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: slapd stopped.
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: connections_destroy: nothing to \
destroy.
Apr 20 15:40:52 ip-10-99-66-29 kernel: [86245.846972] type=1503 \
audit(1303314052.426:36): operation="open" pid=8070 parent=8064 \
profile="/usr/sbin/slapd" requested_mask="::r" denied_mask="::r" fsuid=106 ouid=0 \
name="/usr/local/share/ca-certificates/cacert.crt" ubuntu@directory:~$ sudo \
aa-complain /usr/sbin/slapd Setting /usr/sbin/slapd to complain mode.
ubuntu@directory:~$ sudo service slapd start
Starting OpenLDAP: slapd.
ubuntu@directory:~$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config \
olcTLSCACertificateFile 2>/dev/null | grep cacert olcTLSCACertificateFile: \
/etc/ssl/certs/cacert.pem ubuntu@directory:~$ ls -l /etc/ssl/certs/cacert.pem
lrwxrwxrwx 1 root root 43 2011-04-19 20:42 /etc/ssl/certs/cacert.pem -> \
/usr/local/share/ca-certificates/cacert.crt
In the above, slapd does not start because it cannot access the CA cert in \
/usr/local/share/ca-certificates/cacert.crt, but it will start just fine if it is in \
complain mode.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/767308/+subscriptions
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic