D29030: AppArmor DBus rules for AkonadiServer
Sandro Knauß
noreply at phabricator.kde.org
Sat May 2 00:42:48 BST 2020
knauss added a comment.
Okay I want to verify on my system first. I may find time to do this next week.
I'm very sorry that it takes that long, but I really want to understand why a line is needed. And I also learn AppArmor ;)
INLINE COMMENTS
> lukaskaras wrote in usr.bin.akonadiserver:44
> I don't wrote it explicitly, but this read access is not required by mysqld server, but mysql client (library?).
>
> Dmesg without this line:
>
> audit: type=1400 audit(1587620441.071:186): apparmor="DENIED" operation="open" profile="/usr/bin/akonadiserver" name="/usr/share/mysql/charsets/Index.xml" pid=23027 comm="akonadiserver" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
> from akonadi strace:
>
> [pid 23027] execve("/usr/bin/akonadiserver", ["/usr/bin/akonadiserver"], 0x7ffda6565e98 /* 71 vars */ <unfinished ...>
> [pid 23027] <... execve resumed> ) = 0
> ...
> [pid 23027] stat("/usr/share/mysql/charsets/Index.xml", {st_mode=S_IFREG|0644, st_size=19495, ...}) = 0
> [pid 23027] openat(AT_FDCWD, "/usr/share/mysql/charsets/Index.xml", O_RDONLY) = -1 EACCES
>
> But it is true, that rule should not be here when akonadi is build with postgresql support. Should I add move it to mysqld profile?
Still seems fishy to me. Because that means that qt somehow changed their way how to connect to mysql.
> Should I add move it to mysqld profile?
we can't move this, as this is in process. it is no new binary that we can move to a different namespace.
REVISION DETAIL
https://phabricator.kde.org/D29030
To: lukaskaras
Cc: dvratil, knauss, kde-pim, fbampaloukas, dcaliste, dvasin, rodsevich, winterz, vkrause, mlaurent
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20200501/72a80e8c/attachment-0001.html>
More information about the kde-pim
mailing list