[pkg-apparmor] PostgreSQL AppArmor profiles
Christian Boltz
apparmor-debian at cboltz.de
Mon Sep 7 17:22:03 BST 2020
Hello,
Am Sonntag, 6. September 2020, 21:31:45 CEST schrieb Sandro Knauß:
> Christian is trying to replace the Akonadi internal postgres service
> with a system wide service. Is that correct?
No ;-)
There are two unrelated things in this discussion:
a) the need to update the pstgresql_akonadi AppArmor profile when using
the internal postgres service (= this mail)
b) Sedat switched to using the system wide postgres (not relevant for
the AppArmor profile, except that it of course avoids the profile for
the internal postgres service)
> (This in itself is not really supported by Akonadi; normally Akonadi
> is taking care about starting and stopping the database itself). So
> what is the advantage of starting/stopping postgres outside of
> Akonadi?
I use Akonadi with my system-wide MySQL, so let me answer from my POV:
It avoids running another MySQL instance (I have a system-wide MySQL
running anyway), and my _impression_ (no hard facts) is that it works a
bit more stable than with the Akonadi-internal MySQL. I can only guess,
but maybe the internal MySQL gets stopped the hard way on logout if the
regular stop takes too long?
Again: This is only my impression, I don't have hard facts.
> > > BEFORE: profile postgresql_akonadi {
> > > AFTER: profile postgresql_akonadi flags=(attach_disconnected) {
> >
> > Right, the flags=(attach_disconnected) addition is the correct
> > fix.
> What does this flag do?
The starting point was this message:
[Thu Sep 3 15:27:34 2020] audit: type=1400 audit(1599139654.969:28):
apparmor="DENIED" operation="file_mmap" info="Failed name lookup -
disconnected path" error=-13 profile="postgresql_akonadi" name=""
pid=2126 comm="postgres" requested_mask="wr" denied_mask="wr"
fsuid=1000 ouid=1000
As you can see, the message in this specific case is about name=""
The simplified explanation is that with attach_disconnected, this will
become name="/" - attach_disconnected prepends a / to paths that
aren't connected to the root filesystem namespace.
> Does this mean, that every postgres service I
> start will be run under this profile?
No.
> Or can AppArmour distinguish
> between the system wide postgresql at 12-main.service and the akonadi
> one (akonadi-dileks)?
Yes, because the akonadi profile probably (at least I guess so, I don't
use Debian and never looked at the Akonadi profile) has a rule saying
/usr/bin/postgresql Cx -> postgresql_akonadi,
which means "if akonadi executes postgres, use the postgresql_akonadi
child profile".
For the system-wide postgresql, the "if akonadi executes postgres"
condition won't match ;-)
> Because keep in mind the profile
> postgresql_akonadi should only be added to this instance that is
> connected to akonadi and not the other postgres clusters. The idea of
> the profiles is that the non Akonadi instances of postgres and mysql
> don't get any akonadi profile attached.
Right, and this won't change with the added flag.
Regards,
Christian Boltz
--
One piece of advice: if you maintain a C&C server (which is both a
really bad idea and a criminal act and as such, strongly discouraged),
always use a strong password.
It's very unprofessional if your server is cracked this easily.
[http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/
SophosInsideABlackHole.pdf]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20200907/0b8566e5/attachment.sig>
More information about the pkg-apparmor-team
mailing list