Commit b4170739 authored by Diego Pasqualin's avatar Diego Pasqualin

le-conf: Fix permission denied for educational content for guest users

The users couldn't view educational contents due to apparmor contraints, so
we are adding a new divert file to fix that.
Signed-off-by: 's avatarDiego Pasqualin <dpasqualin@c3sl.ufpr.br>
parent 086a42da
......@@ -22,13 +22,16 @@
# Files to divert:
DIVERTS="/etc/lsb-release\
/etc/default/grub"
/etc/default/grub\
/etc/apparmor.d/lightdm-guest-session"
if [[ "$1" != "upgrade" ]]; then
for file in $DIVERTS; do
rm -f ${file}
dpkg-divert --package le-base --remove --rename \
--divert ${file}{.real,}
# It's wrong to use .lightdm (the usual is .real), but there are
# several systems already installed, so it's dangerous to change it
# now.
dpkg-divert --remove --rename --divert ${file}{.lightdm,}
done
fi
......
......@@ -22,11 +22,14 @@
# Files to divert:
DIVERTS="/etc/lsb-release\
/etc/default/grub"
/etc/default/grub\
/etc/apparmor.d/lightdm-guest-session"
# Divert files:
# FIXME: The standard is to rename to ${file}.real, not ${file}.lightdm
for file in $DIVERTS; do
# It's wrong to use .lightdm, the right would be .real, but as we have
# several systems using .lightdm already it's dangerous to change it
# now.
dpkg-divert --divert ${file}.lightdm --rename ${file}
done
......
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
# Author: Martin Pitt <martin.pitt@ubuntu.com>
#include <tunables/global>
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper {
#include <abstractions/authentication>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
/etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
/ r,
/bin/ rmix,
/bin/fusermount Px,
/bin/** rmix,
/cdrom/ rmix,
/cdrom/** rmix,
/dev/ r,
/dev/** rmw, # audio devices etc.
owner /dev/shm/** rmw,
/home/ConteudoMEC** rix, # students must see educational contents
/etc/ r,
/etc/** rmk,
/etc/gdm/Xsession ix,
/lib/ r,
/lib/** rmixk,
/lib32/ r,
/lib32/** rmixk,
/lib64/ r,
/lib64/** rmixk,
owner /media/ r,
owner /media/** rmwlixk, # we want access to USB sticks and the like
/opt/ r,
/opt/** rmixk,
@{PROC}/ r,
@{PROC}/* rm,
@{PROC}/asound rm,
@{PROC}/asound/** rm,
@{PROC}/ati rm,
@{PROC}/ati/** rm,
owner @{PROC}/** rm,
# needed for gnome-keyring-daemon
@{PROC}/*/status r,
/sbin/ r,
/sbin/** rmixk,
/sys/ r,
/sys/** rm,
/tmp/ rw,
owner /tmp/** rwlkmix,
/usr/ r,
/usr/** rmixk,
/var/ r,
/var/** rmixk,
/var/guest-data/** rw, # allow to store files permanently
/var/tmp/ rw,
owner /var/tmp/** rwlkm,
/{,var/}run/ r,
# necessary for writing to sockets, etc.
/{,var/}run/** rmkix,
/{,var/}run/shm/** wl,
capability ipc_lock,
# silence warnings for stuff that we really don't want to grant
deny capability dac_override,
deny capability dac_read_search,
#deny /etc/** w, # re-enable once LP#697678 is fixed
deny /usr/** w,
deny /var/crash/ w,
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment