[apparmor] Thunderbird profile / gpg2 / revocation certificate from wizard cannot be created
u
u at 451f.org
Tue Jul 26 14:43:00 UTC 2016
Hello!
any news on this issue?
Should I propose that patch via Git instead?
Cheers!
u:
> Hi!
>
> Simon Déziel:
>> On 2016-04-18 04:36 PM, Seth Arnold wrote:
>> The web view doesn't make it very easy to spot but those rules apply
>> only to the _subprofile_ gpg2.
>
> I've tested the profile at revision 169 in Debian and Tails using the
> Enigmail account wizard. This wizard, supposed to make it easier for
> users to create GPG keys, imposes the creation of a revocation
> certificate. This certificate is supposed to be saved to Thunderbird's
> profile in $HOME/.thunderbird/$profile but that fails and thus the key
> creation seems not to be finalized (actually the keys are create
> correctly but the user gets an error about the revocation cert not being
> able to be created):
>
> [16449.351352] audit: type=1400 audit(1467057664.224:36):
> apparmor="DENIED" operation="mknod" profile="icedove//gpg2"
> name="/home/amnesia/.icedove/profile.default/0xA546D1BB6B894CA3_rev.asc"
> pid=6028 comm="gpg2" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
>
> (In my test profile, all "thunderbird"s are called "icedove", so that's
> not the problem here.)
>
> A solution which seems to work is to add a line to the subprofile for gpg2:
>
> # for enigmail's wizard revocation certificate creation
> owner @{HOME}/.thunderbird/*.default/*_rev.asc rw,
>
> Could you verify this is correct and add that line please?
> (I'll propose patches once this is switched to Git, if I may :))
>
> Thanks for working on this profile!
>
> Cheers,
> u.
>
More information about the AppArmor
mailing list