Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 911146

Summary: sec-policy/apparmor-profiles-3.1.4: zgrep profile causes permission denied in zgrep with app-alternatives/gzip
Product: Gentoo Linux Reporter: Jonas Rakebrandt <xarblu>
Component: Current packagesAssignee: The Gentoo Linux Hardened Team <hardened>
Status: UNCONFIRMED ---    
Severity: normal CC: base-system, hardened, mgorny
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Jonas Rakebrandt 2023-07-24 16:28:49 UTC 
Executing zgrep gives a "permission denied" error when running with apparmor enabled.
Logs show that apparmor denies execution of /usr/bin/pigz or /usr/bin/gzip-reference (depending on USE choice in app-alternatives/gzip) because the allowed /usr/bin/gzip is just a symlink to the alternatives.

Reproducible: Always

Steps to Reproduce:
1. Have an apparmor-enabled system
2. Try to use zgrep (e.g. zgrep HZ /proc/config.gz)
Actual Results:  
zgrep fails with "permission denied"

Expected Results:  
zgrep returns the results
Comment 1 Thomas Schneider 2023-09-06 14:31:04 UTC 
Workaround:

# cat /etc/apparmor.d/local/zgrep
# Site-specific additions and overrides for 'zgrep'
/bin/gzip-reference Cx -> helper,
/bin/grep Cx -> helper

Depending on /usr merge or app-alternatives/gzip choice, adjust the paths as needed and reload the profile afterwards.