dbus-launch is alts-managed on Tumbleweed

[cboltz]

On openSUSE Tumbleweed, dbus-launch is managed with alts:

ls -l /usr/bin/dbus-launch*
lrwxrwxrwx 1 root root     4 26. Okt 2022  /usr/bin/dbus-launch -> alts
-rwxr-xr-x 1 root root 22648 16. Okt 09:22 /usr/bin/dbus-launch.nox11
-rwxr-xr-x 1 root root 30840 26. Okt 2022  /usr/bin/dbus-launch.x11

This leads to problems in profiles that expect that dbus-launch is a "normal" binary, for example

type=AVC msg=audit(1741883004.661:187743): apparmor="ALLOWED" operation="file_mmap" class="file" profile="aa-notify//null-/usr/bin/alts//null-/usr/bin/dbus-launch.x11" name="/usr/lib64/ld-linux-x86-64.so.2" pid=48082 comm="dbus-launch.x11" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Please adjust the profiles that allow executing dbus-launch to also allow executing alts, dbus-launch.nox11 and dbus-launch.x11

[roddhjav]

Is it new? Last time I tested apparmor.d on opensuse I did not see this.

[cboltz]

It seems to be there since a while, the dbus-1-x11 changelog says

* Do Sep 23 2021 Stefan Schubert
- Added BuildRequires alts for libalternatives.

(I couldn't find a similar entry for the main dbus-1 package.)

Maybe the more recent change is on the aa-notify side - it got lots of changes in 4.1.

(I wonder if using abstractions/dbus-session would be an option - but that would also need some additions for alts upstream.)

For completeness: alts needs to read a few files:

/usr/share/libalternatives/ r,
/usr/share/libalternatives/dbus-launch/ r,
/usr/share/libalternatives/dbus-launch/*.conf r,