[pkg-apparmor] PostgreSQL AppArmor profiles

Christian Boltz apparmor-debian at cboltz.de
Sun Sep 6 00:52:14 BST 2020 

Hello,

Am Freitag, 4. September 2020, 10:30:25 CEST schrieb Sedat Dilek:
> I followed some weird howtos in the WildWildWild-Internet and did a
> wrong setup. [1] has the correct instructions.
> 
> The issue was when the akonadi-database ran as an own
> postgresql-instance/process when looking with `ps -ef | grep s[q]l`.
> So, I saw two processes - one owned by "postgres" the other
> (akonadi-database) by my user "dileks".
>
> By following the new instructions this is no more the case - I have
> one process owned by "postgres".
> 
> * The issues with AppArmor are no more visible in dmesg-logs! *

That's not surprising.

Before, you/akonadi used a user-specific postgres instance (started by 
akonadi) which used the postgresql_akonadi profile.

Switching to the "system-wide" postgresql means akonadi doesn't [need 
to] start postgresql - and the system-wide postgres runs under a 
different (or no) AppArmor profile.

You can check that with   ps Zaux | grep postgres   - the first column 
will show the AppArmor profile.

[...]
> Christian, you mean to add the change like below?
> 
> [ /etc/apparmor.d/postgresql_akonadi ]
> 
> #include <tunables/global>
> 
> @{xdg_data_home}=@{HOME}/.local/share
> 
> BEFORE: profile postgresql_akonadi {
> AFTER: profile postgresql_akonadi flags=(attach_disconnected) {

Right, the   flags=(attach_disconnected)   addition is the correct fix.

[...]
> So, if this is a change you favour, please let me and the Debian-KDE
> team know.

It is :-) - please apply it to the shipped profile.


Regards,

Christian Boltz
-- 
If someone wants to, go ahead - I will consider that person brave,
like a viking exploring the great unknown for the first time armed
only with a sword and shield while about to unknowingly run into
dragons, ogres, and terminators armed with purple laser beams
[Richard Brown in opensuse-project]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20200906/9bcae445/attachment.sig>

More information about the pkg-apparmor-team mailing list