716428 – kde-apps/akonadi-19.12.3: apparmor profiles stop akonadi from starting

Bug 716428 - kde-apps/akonadi-19.12.3: apparmor profiles stop akonadi from starting

Summary: kde-apps/akonadi-19.12.3: apparmor profiles stop akonadi from starting

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo KDE team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-06 09:23 UTC by Stefan Huber
Modified:	2020-10-27 15:02 UTC (History)
CC List:	1 user (show)

See Also:	https://bugs.kde.org/show_bug.cgi?id=386716
Package list:
Runtime testing required:	---

Attachments
A journalctl snippet showing akonadi to fail (akonadi-failed-journalctl.txt,4.51 KB, text/plain) 2020-04-06 09:24 UTC, Stefan Huber	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Huber 2020-04-06 09:23:32 UTC

The current apparmor profiles installed by akonadi-19.12.3 stop akonadi from working as it is blocking essential resources, including the database backend.

Reproducible: Always

Steps to Reproduce:
Login into plasma and start an akonadi-related application, like korganizer, to observe that akonadi cannot be started.
Actual Results:  
The output of journalctl contains

AVC apparmor="DENIED" operation="mkdir" profile="/usr/bin/akonadiserver" name="/run/user/1000/akonadi/" pid=38053 comm="akonadiserver" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[...]
AVC apparmor="DENIED" operation="open" profile="mysqld_akonadi" name="/usr/share/mariadb/english/errmsg.sys" pid=38064 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

and a full list is attached.


Using current upstream profiles mysqld_akonadi, usr.bin.akonadiserver, (and postgresql_akonadi) from https://github.com/KDE/akonadi/tree/master/apparmor plus adding

  /usr/share/mariadb/** r,

to mysqld_akonadi made it start again. Further adding

  owner @{xdg_data_home}/baloo/ rw,
  owner @{xdg_data_home}/baloo/* rwlk,
  owner @{xdg_data_home}/baloo/** rwk,

to usr.bin.akonadiserver fixed some further denials for akonadi that were not necessary for akonadi to start.

Comment 1 Stefan Huber 2020-04-06 09:24:09 UTC

Created attachment 630694 [details]
A journalctl snippet showing akonadi to fail

Comment 2 Andreas Sturmlechner gentoo-dev

2020-04-06 16:36:46 UTC

baloo is not related to akonadi, am I missing anything (wrt the last bits)?

Comment 3 Stefan Huber 2020-04-06 17:01:57 UTC

(In reply to Andreas Sturmlechner from comment #2)
> baloo is not related to akonadi, am I missing anything (wrt the last bits)?

At least akonadiserver wanted to open the following file:

audit: type=1400 audit(1586177077.810:31182): apparmor="DENIED" operation="open" profile="/usr/bin/akonadiserver" name="/home/shuber/.local/share/baloo/notes/iamglass" pid=254545 comm="SearchManager-T" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Judging by the header it could be a xapian glass database, if that makes sense.

Comment 4 Andreas Sturmlechner gentoo-dev

2020-10-26 15:41:00 UTC

Please test again with 20.08.2:

https://invent.kde.org/pim/akonadi/-/commit/3d85f3726bffe11a89f1188ecfb4b606d3375ada

Re-open if it is still reproducible.

Comment 5 Stefan Huber 2020-10-27 15:02:51 UTC

(In reply to Andreas Sturmlechner from comment #4)
> Please test again with 20.08.2:
> 
> https://invent.kde.org/pim/akonadi/-/commit/
> 3d85f3726bffe11a89f1188ecfb4b606d3375ada
> 
> Re-open if it is still reproducible.

Seems to be resolved for me.