[pkg-apparmor] PostgreSQL AppArmor profiles

Mon Sep 7 18:21:06 BST 2020

Hey,

> There are two unrelated things in this discussion:

thanks for clarification.

> a) the need to update the pstgresql_akonadi AppArmor profile when using
>    the internal postgres service (= this mail)
> 
> b) Sedat switched to using the system wide postgres (not relevant for
>    the AppArmor profile, except that it of course avoids the profile for
>    the internal postgres service)
> 
> > (This in itself is not really supported by Akonadi; normally Akonadi
> > is taking care about starting and stopping the database itself). So
> > what is the advantage of starting/stopping postgres outside of
> > Akonadi?
> 
> I use Akonadi with my system-wide MySQL, so let me answer from my POV:
> It avoids running another MySQL instance (I have a system-wide MySQL
> running anyway), and my _impression_ (no hard facts) is that it works a
> bit more stable than with the Akonadi-internal MySQL. I can only guess,
> but maybe the internal MySQL gets stopped the hard way on logout if the
> regular stop takes too long?
> 
> Again: This is only my impression, I don't have hard facts.

I use the internal MYSQL and didn't need to tweak anything. Maybe you would 
have to tweak the internal mysql settings for a better experience. The 
settings of akonadi are very conservative. But that is a totally unrelated 
topic.

> 
> > > > BEFORE: profile postgresql_akonadi {
> > > > AFTER: profile postgresql_akonadi flags=(attach_disconnected) {
> > > 
> > > Right, the   flags=(attach_disconnected)   addition is the correct
> > > fix.
> > 
> > What does this flag do?
> 
> The starting point was this message:
> 
> [Thu Sep  3 15:27:34 2020] audit: type=1400 audit(1599139654.969:28):
> apparmor="DENIED" operation="file_mmap" info="Failed name lookup -
> disconnected path" error=-13 profile="postgresql_akonadi" name=""
> pid=2126 comm="postgres" requested_mask="wr" denied_mask="wr"
> fsuid=1000 ouid=1000
> 
> As you can see, the message in this specific case is about   name=""
> 
> The simplified explanation is that with attach_disconnected, this will
> become   name="/"   - attach_disconnected prepends a   /   to paths that
> aren't connected to the root filesystem namespace.

Okay but what does name="/" do? why this helps? So far I understand the audit 
message, it tries to start "postgres" without shipping the complete path. But 
postgres command is never in normal path as this exists under /usr/lib/
postgresql/XX/bin/postgres so executing postgres fails anyway.

But maybe we move this discussion to a Merge request to upstream, that we can 
than backport, so also others can learn:
https://invent.kde.org/pim/akonadi/-/merge_requests/29

> > Does this mean, that every postgres service I
> > start will be run under this profile?
> 
> No.
> 
> > Or can AppArmour distinguish
> > between the system wide postgresql at 12-main.service and the akonadi
> > one (akonadi-dileks)?
> 
> Yes, because the akonadi profile probably (at least I guess so, I don't
> use Debian and never looked at the Akonadi profile) has a rule saying
>     /usr/bin/postgresql Cx -> postgresql_akonadi,
> which means "if akonadi executes postgres, use the postgresql_akonadi
> child profile".
> 
> For the system-wide postgresql, the "if akonadi executes postgres"
> condition won't match ;-)
> 
> > Because keep in mind the profile
> > postgresql_akonadi should only be added to this instance that is
> > connected to akonadi and not the other postgres clusters. The idea of
> > the profiles is that the non Akonadi instances of postgres and mysql
> > don't get any akonadi profile attached.
> 
> Right, and this won't change with the added flag.

Okay thanks this helps already a lot.

hefee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20200907/9da8f871/attachment.sig>