[pkg-apparmor] PostgreSQL AppArmor profiles

Sedat Dilek sedat.dilek at gmail.com
Thu Sep 3 16:15:54 BST 2020 

Hi,

I switched over the database-backend of Akonadi-Server in KDE/Plasma
from MySQL to PostgreSQL.

In my dmesg logs I see:

[ DMESG ]

root# LC_ALL=C dmesg -T | egrep apparmor | grep akonadi
[Thu Sep  3 15:27:34 2020] audit: type=1400 audit(1599139654.969:28):
apparmor="DENIED" operation="file_mmap" info="Failed name lookup -
disconnected path" error=-13 profile="postgresql_akonadi" name=""
pid=2126 comm="postgres" requested_mask="wr" denied_mask="wr"
fsuid=1000 ouid=1000

I followed the Debian AppArmor wiki to get a first impression of how
AppArmor works.

There exists a "postgresql_akonadi" AA-profile, but cannot classify
what the above information from dmesg says to me.

Just for the sake of completeness:
I have created a "dileks" PostgreSQL database-user with
role/permissions "createdb" and within my user-account a new database
via "createdb akonadi-dileks".

Can you give a hand?

Thanks.

Regards,
- Sedat -

P.S.: Some AppArmor checks

[ SYSFS ]

root# cat /sys/module/apparmor/parameters/enabled
Y

[ AA-STATUS ]

root# aa-status
apparmor module is loaded.
25 profiles are loaded.
23 profiles are in enforce mode.
   /usr/bin/akonadiserver
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/haveged
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   lsb_release
   man_filter
   man_groff
   mysqld_akonadi
   nvidia_modprobe
   nvidia_modprobe//kmod
   postgresql_akonadi
   tcpdump
2 profiles are in complain mode.
   libreoffice-oopslash
   libreoffice-soffice
17 processes have profiles defined.
17 processes are in enforce mode.
   /usr/bin/akonadiserver (2120)
   /usr/sbin/cups-browsed (846)
   /usr/sbin/cupsd (739)
   /usr/lib/cups/notifier/dbus (1205) /usr/sbin/cupsd
   /usr/lib/cups/notifier/dbus (1206) /usr/sbin/cupsd
   /usr/sbin/haveged (733)
   /usr/lib/postgresql/12/bin/postgres (2126) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2130) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2131) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2132) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2133) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2134) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2135) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2138) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2148) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2152) postgresql_akonadi
   /usr/lib/postgresql/12/bin/postgres (2188) postgresql_akonadi
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

[ PS ]

root# ps auxZ | grep -v '^unconfined'
LABEL                           USER         PID %CPU %MEM    VSZ
RSS TTY      STAT START   TIME COMMAND
/usr/sbin/haveged (enforce)     root         733  0.0  0.0   8120
7540 ?        Ss   15:26   0:00 /usr/sbin/haveged --Foreground
--verbose=1 -w 1024
/usr/sbin/cupsd (enforce)       root         739  0.0  0.1  26436
8904 ?        Ss   15:26   0:00 /usr/sbin/cupsd -l
/usr/sbin/cups-browsed (enforce) root        846  0.0  0.1 176880
11772 ?        Ssl  15:26   0:00 /usr/sbin/cups-browsed
/usr/sbin/cupsd (enforce)       lp          1205  0.0  0.0  16204
6604 ?        S    15:26   0:00 /usr/lib/cups/notifier/dbus dbus://
/usr/sbin/cupsd (enforce)       lp          1206  0.0  0.0  16204
6592 ?        S    15:26   0:00 /usr/lib/cups/notifier/dbus dbus://
/usr/bin/akonadiserver (enforce) dileks     2120  0.0  0.5 2243708
47112 ?       Sl   15:27   0:00 /usr/bin/akonadiserver
postgresql_akonadi (enforce)    dileks      2126  0.0  0.3 213336
27256 ?        Ss   15:27   0:00 /usr/lib/postgresql/12/bin/postgres
-D /home/dileks/.local/share/akonadi/db_data
-k/tmp/akonadi-dileks.hash -h
postgresql_akonadi (enforce)    dileks      2130  0.0  0.0 213460
7688 ?        Ss   15:27   0:00 postgres: checkpointer
postgresql_akonadi (enforce)    dileks      2131  0.0  0.0 213336
5812 ?        Ss   15:27   0:00 postgres: background writer
postgresql_akonadi (enforce)    dileks      2132  0.0  0.1 213336
10000 ?        Ss   15:27   0:00 postgres: walwriter
postgresql_akonadi (enforce)    dileks      2133  0.0  0.1 213872
8548 ?        Ss   15:27   0:00 postgres: autovacuum launcher
postgresql_akonadi (enforce)    dileks      2134  0.0  0.0  67848
4916 ?        Ss   15:27   0:00 postgres: stats collector
postgresql_akonadi (enforce)    dileks      2135  0.0  0.0 213764
6792 ?        Ss   15:27   0:00 postgres: logical replication launcher
postgresql_akonadi (enforce)    dileks      2138  0.0  0.2 220196
23132 ?        Ss   15:27   0:00 postgres: dileks akonadi [local] idle
postgresql_akonadi (enforce)    dileks      2148  0.0  0.2 215292
16432 ?        Ss   15:27   0:00 postgres: dileks akonadi [local] idle
postgresql_akonadi (enforce)    dileks      2152  0.0  0.1 214408
14192 ?        Ss   15:27   0:00 postgres: dileks akonadi [local] idle
postgresql_akonadi (enforce)    dileks      2188  0.0  0.1 214268
14232 ?        Ss   15:27   0:00 postgres: dileks akonadi [local] idle

[ AA-PROFILES ]

Link: https://packages.debian.org/apparmor-profiles
Link: https://packages.debian.org/apparmor-profiles-extra

root# dpkg -l | grep apparmor | awk '/^ii/ {print $1 " " $2 " " $3}' | column -t
ii  apparmor            2.13.4-3
ii  libapparmor1:amd64  2.13.4-3

root# LC_ALL=C ll /usr/share/apparmor/
ls: cannot access '/usr/share/apparmor/': No such file or directory

More information about the pkg-apparmor-team mailing list