[pkg-apparmor] PostgreSQL AppArmor profiles
Sedat Dilek
sedat.dilek at gmail.com
Thu Sep 3 16:15:54 BST 2020
Hi,
I switched over the database-backend of Akonadi-Server in KDE/Plasma
from MySQL to PostgreSQL.
In my dmesg logs I see:
[ DMESG ]
root# LC_ALL=C dmesg -T | egrep apparmor | grep akonadi
[Thu Sep 3 15:27:34 2020] audit: type=1400 audit(1599139654.969:28):
apparmor="DENIED" operation="file_mmap" info="Failed name lookup -
disconnected path" error=-13 profile="postgresql_akonadi" name=""
pid=2126 comm="postgres" requested_mask="wr" denied_mask="wr"
fsuid=1000 ouid=1000
I followed the Debian AppArmor wiki to get a first impression of how
AppArmor works.
There exists a "postgresql_akonadi" AA-profile, but cannot classify
what the above information from dmesg says to me.
Just for the sake of completeness:
I have created a "dileks" PostgreSQL database-user with
role/permissions "createdb" and within my user-account a new database
via "createdb akonadi-dileks".
Can you give a hand?
Thanks.
Regards,
- Sedat -
P.S.: Some AppArmor checks
[ SYSFS ]
root# cat /sys/module/apparmor/parameters/enabled
Y
[ AA-STATUS ]
root# aa-status
apparmor module is loaded.
25 profiles are loaded.
23 profiles are in enforce mode.
/usr/bin/akonadiserver
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/cups/backend/cups-pdf
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/haveged
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
lsb_release
man_filter
man_groff
mysqld_akonadi
nvidia_modprobe
nvidia_modprobe//kmod
postgresql_akonadi
tcpdump
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
17 processes have profiles defined.
17 processes are in enforce mode.
/usr/bin/akonadiserver (2120)
/usr/sbin/cups-browsed (846)
/usr/sbin/cupsd (739)
/usr/lib/cups/notifier/dbus (1205) /usr/sbin/cupsd
/usr/lib/cups/notifier/dbus (1206) /usr/sbin/cupsd
/usr/sbin/haveged (733)
/usr/lib/postgresql/12/bin/postgres (2126) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2130) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2131) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2132) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2133) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2134) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2135) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2138) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2148) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2152) postgresql_akonadi
/usr/lib/postgresql/12/bin/postgres (2188) postgresql_akonadi
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
[ PS ]
root# ps auxZ | grep -v '^unconfined'
LABEL USER PID %CPU %MEM VSZ
RSS TTY STAT START TIME COMMAND
/usr/sbin/haveged (enforce) root 733 0.0 0.0 8120
7540 ? Ss 15:26 0:00 /usr/sbin/haveged --Foreground
--verbose=1 -w 1024
/usr/sbin/cupsd (enforce) root 739 0.0 0.1 26436
8904 ? Ss 15:26 0:00 /usr/sbin/cupsd -l
/usr/sbin/cups-browsed (enforce) root 846 0.0 0.1 176880
11772 ? Ssl 15:26 0:00 /usr/sbin/cups-browsed
/usr/sbin/cupsd (enforce) lp 1205 0.0 0.0 16204
6604 ? S 15:26 0:00 /usr/lib/cups/notifier/dbus dbus://
/usr/sbin/cupsd (enforce) lp 1206 0.0 0.0 16204
6592 ? S 15:26 0:00 /usr/lib/cups/notifier/dbus dbus://
/usr/bin/akonadiserver (enforce) dileks 2120 0.0 0.5 2243708
47112 ? Sl 15:27 0:00 /usr/bin/akonadiserver
postgresql_akonadi (enforce) dileks 2126 0.0 0.3 213336
27256 ? Ss 15:27 0:00 /usr/lib/postgresql/12/bin/postgres
-D /home/dileks/.local/share/akonadi/db_data
-k/tmp/akonadi-dileks.hash -h
postgresql_akonadi (enforce) dileks 2130 0.0 0.0 213460
7688 ? Ss 15:27 0:00 postgres: checkpointer
postgresql_akonadi (enforce) dileks 2131 0.0 0.0 213336
5812 ? Ss 15:27 0:00 postgres: background writer
postgresql_akonadi (enforce) dileks 2132 0.0 0.1 213336
10000 ? Ss 15:27 0:00 postgres: walwriter
postgresql_akonadi (enforce) dileks 2133 0.0 0.1 213872
8548 ? Ss 15:27 0:00 postgres: autovacuum launcher
postgresql_akonadi (enforce) dileks 2134 0.0 0.0 67848
4916 ? Ss 15:27 0:00 postgres: stats collector
postgresql_akonadi (enforce) dileks 2135 0.0 0.0 213764
6792 ? Ss 15:27 0:00 postgres: logical replication launcher
postgresql_akonadi (enforce) dileks 2138 0.0 0.2 220196
23132 ? Ss 15:27 0:00 postgres: dileks akonadi [local] idle
postgresql_akonadi (enforce) dileks 2148 0.0 0.2 215292
16432 ? Ss 15:27 0:00 postgres: dileks akonadi [local] idle
postgresql_akonadi (enforce) dileks 2152 0.0 0.1 214408
14192 ? Ss 15:27 0:00 postgres: dileks akonadi [local] idle
postgresql_akonadi (enforce) dileks 2188 0.0 0.1 214268
14232 ? Ss 15:27 0:00 postgres: dileks akonadi [local] idle
[ AA-PROFILES ]
Link: https://packages.debian.org/apparmor-profiles
Link: https://packages.debian.org/apparmor-profiles-extra
root# dpkg -l | grep apparmor | awk '/^ii/ {print $1 " " $2 " " $3}' | column -t
ii apparmor 2.13.4-3
ii libapparmor1:amd64 2.13.4-3
root# LC_ALL=C ll /usr/share/apparmor/
ls: cannot access '/usr/share/apparmor/': No such file or directory
More information about the pkg-apparmor-team
mailing list