Executing zgrep gives a "permission denied" error when running with apparmor enabled. Logs show that apparmor denies execution of /usr/bin/pigz or /usr/bin/gzip-reference (depending on USE choice in app-alternatives/gzip) because the allowed /usr/bin/gzip is just a symlink to the alternatives. Reproducible: Always Steps to Reproduce: 1. Have an apparmor-enabled system 2. Try to use zgrep (e.g. zgrep HZ /proc/config.gz) Actual Results: zgrep fails with "permission denied" Expected Results: zgrep returns the results
Workaround: # cat /etc/apparmor.d/local/zgrep # Site-specific additions and overrides for 'zgrep' /bin/gzip-reference Cx -> helper, /bin/grep Cx -> helper Depending on /usr merge or app-alternatives/gzip choice, adjust the paths as needed and reload the profile afterwards.
Confirming this issue: - using 1.13-r1 - this is observed on a merged-usr system - installed from binhost Reproducible: Always Steps to Reproduce: 1. Start with a merged-usr system 2. Install gzip from a binhost 3. Attempt to zgrep a gzip archive (/proc/config.gz in my case) Actual Results: ``` # zgrep INOTIFY /proc/config.gz /usr/sbin/zgrep: line 254: /usr/sbin/gzip: Permission denied # ls -la /usr/sbin/zgrep -rwxr-xr-x 1 root root 8204 Aug 18 18:07 /usr/sbin/zgrep # ls -la /usr/sbin/gzip lrwxrwxrwx 1 root root 14 Apr 16 2024 /usr/sbin/gzip -> gzip-reference # ls -la /usr/sbin/gzip-reference -rwxr-xr-x 1 root root 97352 Aug 18 18:07 /usr/sbin/gzip-reference ``` Expected Results: CONFIG_INOTIFY_USER=y Similar to Thomas's workaround: ``` /usr/bin/gzip-reference Cx -> helper, ``` The current profile already contains grep in the apparmor profile so only adding gzip-reference is required.
