[apparmor] Thunderbird profile / gpg2 / revocation certificate from wizard cannot be created
u
u at 451f.org
Mon Jun 27 20:57:02 UTC 2016
Hi!
Simon Déziel:
> On 2016-04-18 04:36 PM, Seth Arnold wrote:
> The web view doesn't make it very easy to spot but those rules apply
> only to the _subprofile_ gpg2.
I've tested the profile at revision 169 in Debian and Tails using the
Enigmail account wizard. This wizard, supposed to make it easier for
users to create GPG keys, imposes the creation of a revocation
certificate. This certificate is supposed to be saved to Thunderbird's
profile in $HOME/.thunderbird/$profile but that fails and thus the key
creation seems not to be finalized (actually the keys are create
correctly but the user gets an error about the revocation cert not being
able to be created):
[16449.351352] audit: type=1400 audit(1467057664.224:36):
apparmor="DENIED" operation="mknod" profile="icedove//gpg2"
name="/home/amnesia/.icedove/profile.default/0xA546D1BB6B894CA3_rev.asc"
pid=6028 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
(In my test profile, all "thunderbird"s are called "icedove", so that's
not the problem here.)
A solution which seems to work is to add a line to the subprofile for gpg2:
# for enigmail's wizard revocation certificate creation
owner @{HOME}/.thunderbird/*.default/*_rev.asc rw,
Could you verify this is correct and add that line please?
(I'll propose patches once this is switched to Git, if I may :))
Thanks for working on this profile!
Cheers,
u.
More information about the AppArmor
mailing list