[pkg-apparmor] Bug#1078441: apparmor-profiles: Apparmor profile for sshd blocks incoming connections.
Thomas Nemeth
tnemeth at free.fr
Sat Aug 10 13:34:14 BST 2024
Package: apparmor-profiles
Version: 3.1.7-1
Severity: important
Tags: upstream
The latest openssh-server upgrade (openssh-server: 1:9.7p1-7, 1:9.8p1-2)
has not been followed by an apparmor update for its profile. When trying
to connect to the server, the connection was refused.
After investigating it was due to the /usr/lib/openssh/sshd-session
binary not allowed to be exectuted.
Journalctl gave:
sshd[5730]: fatal: rexec of /usr/lib/openssh/sshd-session failed: Permission denied
kernel: audit: type=1400 audit(1723284035.133:169): apparmor="DENIED" operation="exec" class="file" profile="/usr/sbin/sshd" name="/usr/lib/openssh/sshd-session" pid=5730 comm="sshd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
A local profile (/etc/apparmor.d/local/usr.sbin.sshd) with the
following lines fixes the problem:
/usr/lib/openssh/sshd-session PUxr,
/usr/lib/openssh/sshd-session-cleanup PUxr,
Note : these lines may not be optimal.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 6.9.12-686-pae (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor-profiles depends on:
ii apparmor 3.1.7-1+b1
apparmor-profiles recommends no packages.
apparmor-profiles suggests no packages.
-- no debconf information
More information about the pkg-apparmor-team
mailing list