[pkg-apparmor] tor: Does not start when the AppArmor LSM is enabled but the apparmor package is not installed
Viktor Jägersküpper
viktor_jaegerskuepper at freenet.de
Wed Nov 1 18:23:00 UTC 2017
On Wed, 01 Nov 2017 08:04:37 +0100 intrigeri at debian.org wrote:
> So I propose we do this:
>
> --- a/debian/systemd/tor at default.service
> +++ b/debian/systemd/tor at default.service
> @@ -20,7 +20,7 @@ Restart=on-failure
> LimitNOFILE=65536
>
> # Hardening
> -AppArmorProfile=system_tor
> +AppArmorProfile=-system_tor
> NoNewPrivileges=yes
> PrivateTmp=yes
> PrivateDevices=yes
I confirm that with this change tor starts normally without apparmor installed.
Note that I still see in syslog (if that's relevant):
kernel: [ 22.193677] audit: type=1400 audit(1509560952.793:2): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=542 comm="(tor)"
I also tested it with "security=dac" on the kernel command line without getting the above syslog entry (of course).
Thanks,
Viktor
More information about the pkg-apparmor-team
mailing list