libreoffice-common: Lot of apparmor denials generated regarding thunderbird and document signature
Package: libreoffice-common
Version: 4:25.2.3-2
Severity: normal
Hello,
When opening a document, every time, I get a lot of apparmor denials
regarding thunderbird (thunderbird is installad and used on my system)
Looking at these it seems that libreoffice is trying to access the
keyring from thunderbird and it's not allowed to:
type=AVC msg=audit(1747643487.166:759): apparmor="ALLOWED" operation="open" class="file" profile="libreoffice-soffice" name="/home/bigon/.thunderbird/profiles.ini" pid=25288 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="bigon" OUID="bigon"
type=AVC msg=audit(1747643487.170:760): apparmor="ALLOWED" operation="open" class="file" profile="libreoffice-soffice" name="/home/bigon/.thunderbird/ejrhibou.default/cert9.db" pid=25288 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000FSUID="bigon" OUID="bigon"
type=AVC msg=audit(1747643487.170:761): apparmor="ALLOWED" operation="file_lock" class="file" profile="libreoffice-soffice" name="/home/bigon/.thunderbird/ejrhibou.default/cert9.db" pid=25288 comm="soffice.bin" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000FSUID="bigon" OUID="bigon"
type=AVC msg=audit(1747643487.170:762): apparmor="ALLOWED" operation="open" class="file" profile="libreoffice-soffice" name="/home/bigon/.thunderbird/ejrhibou.default/key4.db" pid=25288 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000FSUID="bigon" OUID="bigon"
type=AVC msg=audit(1747643487.170:763): apparmor="ALLOWED" operation="file_lock" class="file" profile="libreoffice-soffice" name="/home/bigon/.thunderbird/ejrhibou.default/key4.db" pid=25288 comm="soffice.bin" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000FSUID="bigon" OUID="bigon"
So either that should be disabled or libreoffice should be allowed to
access the home of thunderbird in read-only (I see that libreoffice is
already allowed to open some files from firefox)
On my machine with thunderbird 1:138.0-1 from experimental, adding the
following seems to solve the denials:
@{HOME}/.thunderbird/profiles.ini r,
@{HOME}/.thunderbird/*/key4.db wrk,
@{HOME}/.thunderbird/*/cert9.db wrk,
Note that, if I go to the document signature dialog (File>Digital
signature) I get other denials regarding gpg for example, so all of
this should be reviewed I guess.
Kind regards,
Laurent Bigonville
-- System Information:
Debian Release: 13.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.14-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libreoffice depends on:
pn libreoffice-base <none>
ii libreoffice-calc 4:25.2.3-2
ii libreoffice-core 4:25.2.3-2
ii libreoffice-draw 4:25.2.3-2
ii libreoffice-impress 4:25.2.3-2
ii libreoffice-math 4:25.2.3-2
pn libreoffice-report-builder-bin <none>
ii libreoffice-writer 4:25.2.3-2
ii python3-uno 4:25.2.3-2
Versions of packages libreoffice recommends:
ii fonts-crosextra-caladea 20200211-2
ii fonts-crosextra-carlito 20230309-2
ii fonts-dejavu 2.37-8
ii fonts-liberation 1:2.1.5-3
pn fonts-liberation-sans-narrow <none>
ii fonts-linuxlibertine 5.3.0-6
ii fonts-noto-core 20201225-2
pn fonts-noto-extra <none>
ii fonts-noto-mono 20201225-2
pn fonts-noto-ui-core <none>
ii fonts-sil-gentium-basic 1.102-1.1
pn libreoffice-java-common <none>
pn libreoffice-nlpsolver <none>
pn libreoffice-report-builder <none>
pn libreoffice-script-provider-bsh <none>
pn libreoffice-script-provider-js <none>
pn libreoffice-script-provider-python <none>
pn libreoffice-sdbc-mysql <none>
pn libreoffice-sdbc-postgresql <none>
pn libreoffice-wiki-publisher <none>
Versions of packages libreoffice suggests:
pn cups-bsd <none>
pn default-jre | java-runtime | java8-runtime | jre <none>
ii firefox 138.0.3~build1
ii ghostscript 10.05.1~dfsg-1
ii gnupg 2.4.7-19
pn gpa <none>
ii gstreamer1.0-libav 1.26.1-1
ii gstreamer1.0-plugins-bad 1.26.1-1
ii gstreamer1.0-plugins-base 1.26.1-1
ii gstreamer1.0-plugins-good 1.26.1-1
ii gstreamer1.0-plugins-ugly 1.26.1-1
ii hunspell-en-us [hunspell-dictionary] 1:2020.12.07-4
ii hunspell-fr-classical [hunspell-dictionary] 1:7.0-3
ii hyphen-en-us [hyphen-hyphenation-patterns] 2.8.8-7
pn imagemagick | graphicsmagick-imagemagick-compat <none>
ii libgl1 1.7.0-1+b2
pn libofficebean-java <none>
ii libreoffice-gnome 4:25.2.3-2
pn libreoffice-grammarcheck <none>
ii libreoffice-help-en-us [libreoffice-help] 4:25.2.3-2
ii libreoffice-help-fr [libreoffice-help] 4:25.2.3-2
ii libreoffice-l10n-fr [libreoffice-l10n] 4:25.2.3-2
pn libreoffice-librelogo <none>
ii libsane1 1.3.1-4
ii libxrender1 1:0.9.12-1
pn myspell-dictionary <none>
ii mythes-en-us [mythes-thesaurus] 1:25.2.3-1
ii mythes-fr [mythes-thesaurus] 1:25.2.3-1
pn openclipart-libreoffice <none>
pn pstoedit <none>
ii thunderbird 1:138.0-1
pn unixodbc <none>
Reply to: