apparmor: allow reading /etc/ssl/openssl.cnf (!19) · Merge requests · Debian Squid Maintainers / squid

Closed Simon Deziel requested to merge sdeziel-guest/squid:apparmor-openssl into master Apr 04, 2022

On start squid would trigger this (in a LXD container):

audit: type=1400 audit(1649103043.583:223): apparmor="DENIED" operation="open" \
       namespace="root//lxd-squid_<var-snap-lxd-common-lxd>" \
       profile="/usr/sbin/squid" name="/etc/ssl/openssl.cnf" pid=1004228 \
       comm="squid" requested_mask="r" denied_mask="r" fsuid=1589824 ouid=1589824

Instead of allowing just the openssl.cnf file, use the proper abstraction.

Signed-off-by: Simon Deziel simon@sdeziel.info