[pkg-apparmor] PostgreSQL AppArmor profiles
Sedat Dilek
sedat.dilek at gmail.com
Fri Sep 4 09:30:25 BST 2020
On Thu, Sep 3, 2020 at 8:44 PM Christian Boltz
<apparmor-debian at cboltz.de> wrote:
>
> Hello,
>
> Am Donnerstag, 3. September 2020, 17:15:54 CEST schrieb Sedat Dilek:
> > root# LC_ALL=C dmesg -T | egrep apparmor | grep akonadi
> > [Thu Sep 3 15:27:34 2020] audit: type=1400 audit(1599139654.969:28):
> > apparmor="DENIED" operation="file_mmap" info="Failed name lookup -
> > disconnected path" error=-13 profile="postgresql_akonadi" name=""
> > pid=2126 comm="postgres" requested_mask="wr" denied_mask="wr"
> > fsuid=1000 ouid=1000
>
> This message means you'll need to add the attach_disconnected flag.
>
> Before:
> profile postgresql_akonadi {
>
> After:
> profile postgresql_akonadi flags=(attach_disconnected) {
>
> Note: The above assumes that the profile doesn't have any other flags
> yet.
>
> Don't forget to reload the profile ;-)
>
>
[ CC debian-kde and intrigeri ]
Hi Christian,
I followed some weird howtos in the WildWildWild-Internet and did a wrong setup.
[1] has the correct instructions.
The issue was when the akonadi-database ran as an own
postgresql-instance/process when looking with `ps -ef | grep s[q]l`.
So, I saw two processes - one owned by "postgres" the other
(akonadi-database) by my user "dileks".
By following the new instructions this is no more the case - I have
one process owned by "postgres".
* The issues with AppArmor are no more visible in dmesg-logs! *
It's true "akonadi-server" Debian package ships an own aa-profile:
root# dpkg -L akonadi-server | grep apparmor
/etc/apparmor.d
/etc/apparmor.d/mysqld_akonadi
/etc/apparmor.d/postgresql_akonadi <--- XXX: Look here
/etc/apparmor.d/usr.bin.akonadiserver
Christian, you mean to add the change like below?
[ /etc/apparmor.d/postgresql_akonadi ]
#include <tunables/global>
@{xdg_data_home}=@{HOME}/.local/share
BEFORE: profile postgresql_akonadi {
AFTER: profile postgresql_akonadi flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability setgid,
capability setuid,
/etc/passwd r,
/{usr/,}bin/{b,d}ash mrix,
/{usr/,}bin/locale mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/initdb mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_ctl mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/postgres mrix,
/usr/share/postgresql/** r,
owner /dev/shm/PostgreSQL.* rw,
owner @{xdg_data_home}/akonadi/** rwlk,
owner @{xdg_data_home}/akonadi/db_data/** l,
owner /{,var/}run/user/@{uid}/akonadi** rwk,
# pg_upgrade
/{usr/,usr/lib/postgresql/*/}bin/pg_upgrade mrix,
/opt/pgsql*/** mr,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_controldata mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_resetwal mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dumpall mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_dump mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/vacuumdb mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/psql mrix,
/{usr/,usr/lib/postgresql/*/,opt/pgsql*/}bin/pg_restore mrix,
/{usr/,}bin/cp mrix,
}
- EOF -
So, if this is a change you favour, please let me and the Debian-KDE team know.
See below my "howto-switch-akonadi-database-from-mysql-to-postgresql.txt"
for full instructions and get rid of MySQL/MariaDB entirely.
If you need further information, please let me know.
Thanks.
Regards,
- Sedat -
[1] Link: https://www.enricozini.org/blog/2015/akonadi-install/
P.S.: howto-switch-akonadi-database-from-mysql-to-postgresql.txt
[ LINKS ]
Link: https://www.enricozini.org/blog/2015/akonadi-install/
[ INSTALL ]
root# apt-get update
root# apt-get install postgresql-12 libqt5sql5-psql
akonadi-backend-postgresql --no-install-recommends -y
[ PACKAGES DIFF ]
root# diff -uprN packages_0646.txt packages.txt | egrep '^[+|-]ii'
+ii akonadi-backend-postgresql 4:20.04.1-2
+ii libqt5sql5-psql:amd64 5.14.2+dfsg-6
+ii postgresql 12+216
+ii postgresql-12 12.4-1
+ii postgresql-client-12 12.4-1
+ii postgresql-client-common 216
+ii postgresql-common 216
[ POSTGRESQL - START ]
root# pg_ctlcluster 12 main start
[ AKONADICTL - STOP ]
dileks$ akonadictl stop
dileks$ akonadictl status
[ ARCHIVE - MYSQL CONFIG & DATABASES ]
dileks$ mv ~/.config/akonadi ~/.config/akonadi.mysql
dileks$ mv ~/.local/share/akonadi ~/.local/share/akonadi.mysql
[ POSTGRESQL - NEW USER & PERMISSIONS ]
root at iniza:~# su - postgres
postgres at iniza:~$ createuser dileks
postgres at iniza:~$ psql postgres
psql (12.4 (Debian 12.4-1))
Geben Sie »help« für Hilfe ein.
postgres=# alter user dileks createdb;
ALTER ROLE
postgres=# \q
postgres at iniza:~$ exit
Abgemeldet
[ AKONADI - NEW DATABASE ]
dileks$ dpkg -S $(which createdb)
postgresql-client-common: /usr/bin/createdb
dileks$ createdb akonadi-dileks
XXX: createdb sets German locales correct for my user (see below
"POSTGRESQL - CHECK").
[ AKONADI - SERVERRC QPSQL ]
XXX: TODO: Create empty ~/.config/akonadi directory.
dileks$ mkdir ~/.config/akonadi
EDIT: ~/.config/akonadi/akonadiserverrc
- BOF -
[Debug]
Tracer=null
[%General]
Driver=QPSQL
[QPSQL]
Host=
InitDbPath=
Name=akonadi-dileks
Options=
ServerPath=
StartServer=false
- EOF -
NOTE-1: "Name" is the name of the new created database "akonadi-dileks".
NOTE-2: Do NOT change setting of "StartServer=false"!
[ AKONADICTL - START ]
dileks$ akonadictl start
dileks$ akonadictl status
Akonadi Control: running
Akonadi Server: running
Akonadi Server Search Support: available (Remote Search, Akonadi Search Plugin)
Available Agent Types: akonadi_akonotes_resource,
akonadi_archivemail_agent, akonadi_birthdays_resource,
akonadi_contacts_resource, akonadi_davgroupware_resource,
akonadi_ews_resource, akonadi_ewsmta_resource,
akonadi_followupreminder_agent, akonadi_googlecalendar_resource,
akonadi_googlecontacts_resource, akonadi_ical_resource,
akonadi_icaldir_resource, akonadi_imap_resource,
akonadi_indexing_agent, akonadi_kalarm_dir_resource,
akonadi_kalarm_resource, akonadi_kolab_resource,
akonadi_maildir_resource, akonadi_maildispatcher_agent,
akonadi_mailfilter_agent, akonadi_mbox_resource,
akonadi_migration_agent, akonadi_mixedmaildir_resource,
akonadi_newmailnotifier_agent, akonadi_notes_agent,
akonadi_notes_resource, akonadi_openxchange_resource,
akonadi_pop3_resource, akonadi_sendlater_agent,
akonadi_tomboynotes_resource, akonadi_unifiedmailbox_agent,
akonadi_vcard_resource, akonadi_vcarddir_resource
[ PS ]
root# ps -ef | grep -i s[q]l
postgres 1250 1 0 09:33 ? 00:00:00
/usr/lib/postgresql/12/bin/postgres -D /var/lib/postgresql/12/main -c
config_file=/etc/postgresql/12/main/postgresql.conf
NOTE: Make sure *no* instance of postgresql (akonadi-database) running
as user "dileks".
[ POSTGRESQL - CHECK ]
root at iniza:~# su - postgres
postgres at iniza:~$ psql postgres
psql (12.4 (Debian 12.4-1))
Geben Sie »help« für Hilfe ein.
postgres=# \du
Liste der Rollen
Rollenname | Attribute
| Mitglied von
------------+-----------------------------------------------------------------+--------------
dileks | DB erzeugen
| {}
postgres | Superuser, Rolle erzeugen, DB erzeugen, Replikation,
Bypass RLS | {}
postgres=# \l
Liste der Datenbanken
Name | Eigentümer | Kodierung | Sortierfolge | Zeichentyp
| Zugriffsprivilegien
----------------+------------+-----------+--------------+-------------+-----------------------
akonadi-dileks | dileks | UTF8 | de_DE.UTF-8 | de_DE.UTF-8 |
postgres | postgres | UTF8 | de_DE.UTF-8 | de_DE.UTF-8 |
template0 | postgres | UTF8 | de_DE.UTF-8 | de_DE.UTF-8
| =c/postgres +
| | | |
| postgres=CTc/postgres
template1 | postgres | UTF8 | de_DE.UTF-8 | de_DE.UTF-8
| =c/postgres +
| | | |
| postgres=CTc/postgres
(4 Zeilen)
postgres=# \c akonadi-dileks
Sie sind jetzt verbunden mit der Datenbank »akonadi-dileks« als
Benutzer »postgres«.
akonadi-dileks=# \dt
Liste der Relationen
Schema | Name | Typ | Eigentümer
--------+----------------------------------+---------+------------
public | collectionattributetable | Tabelle | dileks
public | collectionmimetyperelation | Tabelle | dileks
public | collectionpimitemrelation | Tabelle | dileks
public | collectiontable | Tabelle | dileks
public | flagtable | Tabelle | dileks
public | mimetypetable | Tabelle | dileks
public | parttable | Tabelle | dileks
public | parttypetable | Tabelle | dileks
public | pimitemflagrelation | Tabelle | dileks
public | pimitemtable | Tabelle | dileks
public | pimitemtagrelation | Tabelle | dileks
public | relationtable | Tabelle | dileks
public | relationtypetable | Tabelle | dileks
public | resourcetable | Tabelle | dileks
public | schemaversiontable | Tabelle | dileks
public | tagattributetable | Tabelle | dileks
public | tagremoteidresourcerelationtable | Tabelle | dileks
public | tagtable | Tabelle | dileks
public | tagtypetable | Tabelle | dileks
(19 Zeilen)
akonadi-dileks=# \q
postgres at iniza:~$ exit
Abgemeldet
[ KMAIL ]
Start KMail as user to check if aconadi-server works correct with
PostgreSQL-server.
[ SYSTEMD ]
root# systemctl enable --now postgresql.service
NOTE: Enable postgresql.service on each boot/startup.
[ CLEANUP - MYSQL & MARIADB ]
root# diff -uprN packages_0647.txt packages.txt | egrep '^[+|-]ii'
-ii akonadi-backend-mysql 4:20.04.1-2
-ii default-mysql-client-core 1.0.5
-ii default-mysql-server-core 1.0.5
-ii libmailutils7:amd64 1:3.10-3
-ii libmariadb3:amd64 1:10.3.24-2
-ii libqt5sql5-mysql:amd64 5.14.2+dfsg-6
-ii libreoffice-sdbc-mysql 1:7.0.1~rc1-2
-ii mailutils 1:3.10-3
-ii mailutils-common 1:3.10-3
-ii mariadb-client-core-10.3 1:10.3.24-2
-ii mariadb-common 1:10.3.24-2
-ii mariadb-server-core-10.3 1:10.3.24-2
-ii mysql-common 5.8+1.0.5
[ HISTORY ]
-dileks // 03-Sep-2020: Update "PS" section; Move "KMAIL" and "SYSTEMD" sections
-dileks // 03-Sep-2020: Add "POSTGRESQL - CHECK" section; Add the Link
with correct instructions
-dileks // 02-Sep-2020: Initial release
- EOT -
More information about the pkg-apparmor-team
mailing list