[apparmor] [Bug 767308] Re: Apparmor SSL abstraction does not allow read access to /usr/local/share/ca-certificates

Steve Beattie sbeattie at ubuntu.com
Sat Apr 7 00:18:40 UTC 2012 

This was fixed in trunk commit rev 1736 and released in 2.7.0.

** Changed in: apparmor
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/767308

Title:
  Apparmor SSL abstraction does not allow read access to
  /usr/local/share/ca-certificates

Status in AppArmor Linux application security framework:
  Fix Released
Status in “apparmor” package in Ubuntu:
  Fix Released

Bug description:
  Binary package hint: apparmor

  Adding a custom CA certificate to /usr/local/share/ca-certificates and
  registering it using /usr/sbin/update-ca-certificates, daemon that
  have been apparmor-ified  (such as slapd) cannot access the custom CA
  certificate.

  Below is an example using slapd on lucid:

  ubuntu at directory:~$ sudo service slapd start
  Starting OpenLDAP: slapd - failed.
  The operation failed but no output was produced. For hints on what went
  wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
  try running the daemon in Debug mode like via "slapd -d 16383" (warning:
  this will create copious output).

  Below, you can find the command line options used by this script to 
  run slapd. Do not forget to specify those options if you
  want to look to debugging output:
    slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/ 
  ubuntu at directory:~$ tail -5 /var/log/syslog 
  Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: @(#) $OpenLDAP: slapd 2.4.21 (Mar 30 2011 16:20:36) $#012#011buildd at allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
  Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: main: TLS init def ctx failed: -1
  Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: slapd stopped.
  Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: connections_destroy: nothing to destroy.
  Apr 20 15:40:52 ip-10-99-66-29 kernel: [86245.846972] type=1503 audit(1303314052.426:36):  operation="open" pid=8070 parent=8064 profile="/usr/sbin/slapd" requested_mask="::r" denied_mask="::r" fsuid=106 ouid=0 name="/usr/local/share/ca-certificates/cacert.crt"
  ubuntu at directory:~$ sudo aa-complain /usr/sbin/slapd
  Setting /usr/sbin/slapd to complain mode.
  ubuntu at directory:~$ sudo service slapd start
  Starting OpenLDAP: slapd.
  ubuntu at directory:~$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config olcTLSCACertificateFile 2>/dev/null | grep cacert 
  olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
  ubuntu at directory:~$ ls -l /etc/ssl/certs/cacert.pem 
  lrwxrwxrwx 1 root root 43 2011-04-19 20:42 /etc/ssl/certs/cacert.pem -> /usr/local/share/ca-certificates/cacert.crt

  
  In the above, slapd does not start because it cannot access the CA cert in /usr/local/share/ca-certificates/cacert.crt, but it will start just fine if it is in complain mode.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/767308/+subscriptions

More information about the AppArmor mailing list