[apparmor] [Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype

Ivan Frederiks 933440 at bugs.launchpad.net
Tue May 8 13:04:55 UTC 2012 

No :)
I started testing skype profile on Precise and it's not perfect yet.

First of all we need to add following line:
owner /run/shm/pulse-shm* m,

Then there are some problems with fontconfig:
May  8 15:01:52 ithink kernel: [10344.456841] type=1400 audit(1336482112.881:285): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=14167 comm="apparmor_parser"
May  8 15:02:19 ithink kernel: [10371.245558] type=1400 audit(1336482139.669:286): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May  8 15:02:19 ithink kernel: [10371.245615] type=1400 audit(1336482139.669:287): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le32d4.cache-3.TMP-L2czW8" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
May  8 15:02:19 ithink kernel: [10371.245733] type=1400 audit(1336482139.669:288): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May  8 15:02:19 ithink kernel: [10371.245761] type=1400 audit(1336482139.669:289): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/4c599c202bc5c08e2d34565a40eac3b2-le32d4.cache-3.TMP-RndeFm" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
May  8 15:02:19 ithink kernel: [10371.245898] type=1400 audit(1336482139.669:290): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May  8 15:02:19 ithink kernel: [10371.245926] type=1400 audit(1336482139.669:291): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/c855463f699352c367813e37f3f70ea7-le32d4.cache-3.TMP-4xjUnA" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
May  8 15:02:19 ithink kernel: [10371.246046] type=1400 audit(1336482139.669:292): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May  8 15:02:19 ithink kernel: [10371.246074] type=1400 audit(1336482139.669:293): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/57e423e26b20ab21d0f2f29c145174c3-le32d4.cache-3.TMP-8muB6N" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
May  8 15:02:19 ithink kernel: [10371.246186] type=1400 audit(1336482139.669:294): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May  8 15:02:25 ithink kernel: [10376.885225] audit_printk_skb: 216 callbacks suppressed
May  8 15:02:25 ithink kernel: [10376.885230] type=1400 audit(1336482145.309:367): apparmor="DENIED" operation="open" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.mozilla/" pid=14501 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
May  8 15:02:26 ithink kernel: [10377.625972] type=1400 audit(1336482146.049:368): apparmor="DENIED" operation="open" parent=14378 profile="/usr/bin/skype" name="/lib/" pid=14483 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May  8 15:02:26 ithink kernel: [10377.626032] type=1400 audit(1336482146.049:369): apparmor="DENIED" operation="open" parent=14378 profile="/usr/bin/skype" name="/usr/lib/" pid=14483 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May  8 15:02:26 ithink kernel: [10377.626070] type=1400 audit(1336482146.049:370): apparmor="DENIED" operation="open" parent=14378 profile="/usr/bin/skype" name="/usr/local/lib/" pid=14483 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Any suggestions?

** Tags added: natty

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor Profiles.
https://bugs.launchpad.net/bugs/933440

Title:
  AppArmor profile (in enforce mode) breaks skype

Status in AppArmor Profiles:
  Confirmed
Status in “apparmor” package in Ubuntu:
  Confirmed

Bug description:
  When usr.bin.skype profile from apparmor-profiles package is enabled
  skype is unable to start.

  I use Ubuntu 11.04 i386

  apt-cache policy apparmor-profiles
  apparmor-profiles:
    Installed: 2.6.1-0ubuntu3
    Candidate: 2.6.1-0ubuntu3
    Version table:
   *** 2.6.1-0ubuntu3 0
          500 http://de.archive.ubuntu.com/ubuntu/ natty/universe i386 Packages
          100 /var/lib/dpkg/status

  apt-cache policy skype
  skype:
    Installed: 2.2.0.35-0natty1
    Candidate: 2.2.0.35-0natty1
    Version table:
   *** 2.2.0.35-0natty1 0
          500 http://archive.canonical.com/ubuntu/ natty/partner i386 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions

More information about the AppArmor mailing list