Ubuntu
lightdm package

  1. Bug #877736
  2. Comment #3

Comment 3 for bug 877736

Revision history for this message
Martin Pitt (pitti) wrote :

In particular, I see:

[ 1212.557101] type=1400 audit(1319105597.357:25): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=1 capname="dac_override"
[ 1212.557110] type=1400 audit(1319105597.357:26): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=2 capname="dac_read_search"

That's something that we really don't want to grant, and we should just hide the message.

[ 1212.589250] type=1400 audit(1319105597.389:27): apparmor="DENIED" operation="open" parent=11955 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/12009/status" pid=12009 comm="gnome-keyring-d" requested_mask="r" denied_mask="r" fsuid=118 ouid=0

(for a few more PIDs, too). None of these PIDs exist any more after starting the session; the profile allows the guest session to look into /proc directories for processes which are owned by guest, nothing else. So these processes should belong to some other owners. However, I notice that e. g. seahorse complains about not being able to connect to the keyring, so apparently something needs fixing here.

[ 1213.832400] type=1400 audit(1319105598.637:32): apparmor="DENIED" operation="open" parent=12039 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/2/stat" pid=12073 comm="killall" requested_mask="r" denied_mask="r" fsuid=118 ouid=0

This error message seems harmless.

[ 1228.269177] type=1400 audit(1319105613.097:210): apparmor="DENIED" operation="open" parent=12218 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/lib64/" pid=12219 comm="whereis" requested_mask="r" denied_mask="r" fsuid=118 ouid=0

We can allow reading/mapping /lib64, I'll add that.

[ 1243.784831] type=1400 audit(1319105628.641:211): apparmor="DENIED" operation="mknod" parent=11955 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/system-config-printer/debug.pyc" pid=12365 comm="applet.py" requested_mask="c" denied_mask="c" fsuid=118 ouid=118

mknod sounds like a no-no. s-c-p should have no business doing this. I'll hide the AA error.