AppArmor: Allow troff to write to /tmp/groff*

Closes: #949320
author: Colin Watson <cjwatson@debian.org> 2020-07-04 22:29:25 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-07-04 22:29:25 +0100
commit: ca54786ede7313603515fc7c185c19ab4fdf0738 (patch)
tree: f1ff8b58c3cba04be07c006eb2c4b9f8c10d2813
parent: 38e2b5f7dfb86488a834f04b720380802f620a0a (diff)
2 files changed, 6 insertions, 2 deletions
diff --git a/debian/apparmor/usr.bin.man b/debian/apparmor/usr.bin.man
index 81ba10f4..b6cd0be6 100644
--- a/debian/apparmor/usr.bin.man
+++ b/debian/apparmor/usr.bin.man
@@ -76,6 +76,8 @@ profile man_groff {
   /usr/lib/groff/site-tmac/** r,
   /usr/share/groff/** r,
 
+  /tmp/groff* rw,
+
   signal peer=/usr/bin/man,
   # @{profile_name} doesn't seem to work here.
   signal peer=/usr/bin/man//&man_groff,
diff --git a/debian/changelog b/debian/changelog
index c94461f4..20e5c716 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,9 @@
 man-db (2.9.3-2) UNRELEASED; urgency=medium
 
-  * AppArmor: Silently deny dac_override and dac_read_search capabilities
-    (closes: #962006).
+  * AppArmor:
+    - Silently deny dac_override and dac_read_search capabilities (closes:
+      #962006).
+    - Allow troff to write to /tmp/groff* (closes: #949320).
 
  -- Colin Watson <cjwatson@debian.org>  Sat, 04 Jul 2020 22:12:44 +0100
author	Colin Watson <cjwatson@debian.org>	2020-07-04 22:29:25 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-07-04 22:29:25 +0100
commit	ca54786ede7313603515fc7c185c19ab4fdf0738 (patch)
tree	f1ff8b58c3cba04be07c006eb2c4b9f8c10d2813
parent	38e2b5f7dfb86488a834f04b720380802f620a0a (diff)