[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: Re: [apparmor] Thunderbird profile / gpg2 / revocation certificate from wizard cannot be created
From: Simon Deziel <simon.deziel () gmail ! com>
Date: 2016-06-28 21:22:03
Message-ID: 5772EA7B.4010302 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
Hi u,
On 2016-06-27 04:57 PM, u wrote:
> Hi!
>
> Simon Déziel:
>> On 2016-04-18 04:36 PM, Seth Arnold wrote:
>> The web view doesn't make it very easy to spot but those rules apply
>> only to the _subprofile_ gpg2.
>
> I've tested the profile at revision 169 in Debian and Tails using the
> Enigmail account wizard. This wizard, supposed to make it easier for
> users to create GPG keys, imposes the creation of a revocation
> certificate. This certificate is supposed to be saved to Thunderbird's
> profile in $HOME/.thunderbird/$profile but that fails and thus the key
> creation seems not to be finalized (actually the keys are create
> correctly but the user gets an error about the revocation cert not being
> able to be created):
>
> [16449.351352] audit: type=1400 audit(1467057664.224:36):
> apparmor="DENIED" operation="mknod" profile="icedove//gpg2"
> name="/home/amnesia/.icedove/profile.default/0xA546D1BB6B894CA3_rev.asc"
> pid=6028 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
I'm surprised it's not using ~/.gnupg/. Maybe it's saving a copy in the
corresponding Thunderbird profile dir.
> (In my test profile, all "thunderbird"s are called "icedove", so that's
> not the problem here.)
>
> A solution which seems to work is to add a line to the subprofile for gpg2:
>
> # for enigmail's wizard revocation certificate creation
> owner @{HOME}/.thunderbird/*.default/*_rev.asc rw,
You can have more than 1 profile so I'd propose that:
owner @{HOME}/.thunderbird/*/0x*_rev.asc rw,
Untested as I'm too impatient to wait for the key pair generation to
complete :)
Regards,
Simon
["signature.asc" (application/pgp-signature)]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic