The Wayback Machine - https://web.archive.org/web/20201027021756/https://github.com/jonls/redshift/issues/708
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apparmor profile blocks config file if XDG_CONFIG_HOME is set #708

Open
Druco opened this issue Feb 19, 2019 · 4 comments
Open

Apparmor profile blocks config file if XDG_CONFIG_HOME is set #708

Druco opened this issue Feb 19, 2019 · 4 comments

Comments

@Druco
Copy link

@Druco Druco commented Feb 19, 2019

Describe the bug
With XDG_CONFIG_HOME set to something other than $HOME/.config, the supplied apparmor profile DENIES the file access to the redshift.conf file. Adding the line:
owner @{XDG_CONFIG_HOME}/redshift/redshift.conf r,
to the usr.bin.redshift file fixes this when running redshift from the command line. It does not fix it when running redshift-gtk however.

To Reproduce
Steps to reproduce the behavior:

  1. Set XDG_CONFIG_HOME to something other than ~/.config
  2. Create $XDG_CONFIG_HOME/redshift/redshift.conf
  3. Make sure apparmor is running
  4. Start redshift

Expected behavior
Parameters specified in $XDG_CONFIG_HOME/redshift/redshift.conf should be used rather than default values (or those in ~/.config/redshift/redshift.conf).

Error output/logs/screenshots
In /var/log/audit/audit.log the error is:
type=AVC msg=audit(1550535771.076:213): apparmor="DENIED" operation="open" profile="/usr/bin/redshift" name="/home/username/.config.tumbleweed/redshift/redshift.conf" pid=5793 comm="redshift" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Software versions (please complete the following information):

  • OS: Linux
  • Redshift version: 1.12
  • Distribution: openSUSE Tumbleweed
  • Redshift installed from: using zypper and also built from source
@Druco
Copy link
Author

@Druco Druco commented Feb 26, 2019

Just wanted to make a correction that adding:
owner @{XDG_CONFIG_HOME}/redshift/redshift.conf r,
to the usr.bin.redshift file does not fix the problem. I didn't notice that what actually occurred was that apparmor crashed when this line was added so it looked like it was working.

@CameronNemo
Copy link
Contributor

@CameronNemo CameronNemo commented Mar 16, 2019

This is a common pitfall of AppArmor profiles and LSM policy in general. There are standard variables in /etc/apparmor.d/tunables, but none seem to apply to this situation.

@cboltz
Copy link

@cboltz cboltz commented Mar 17, 2019

I'd recommend to add

alias @{HOME}/.config/ -> @{HOME}/.config.tumbleweed/,

in /etc/apparmor.d/tunables/alias and to run rcapparmor reload afterwards.

@Druco
Copy link
Author

@Druco Druco commented Mar 18, 2019

I'd recommend to add

alias @{HOME}/.config/ -> @{HOME}/.config.tumbleweed/,

in /etc/apparmor.d/tunables/alias and to run rcapparmor reload afterwards.

Thanks, I'll give that a try. So far I have just put the files in .config rather than .config.tumbleweed and that has worked well enough. It sounds like this is really a problem with AppArmor itself needing to be updated to handle the XDG standard.
Thanks for the response and as far as I am concerned the bug can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can’t perform that action at this time.