[Pkg-giraffe-discuss] some Apparmor issues within kopanocore packages
Carsten Schoenert
c.schoenert at t-online.de
Fri Dec 21 19:45:56 GMT 2018
Hi,
I did a grepping for messages containing denied in the out put of dmesg
and got the following lines. There are for sure more Apparmor things to
solve but this needs then the usage of all related packages in detail to
see what else might need some adjustment.
> root at debian:/etc# dmesg| grep DENIED
> [617689.721121] audit: type=1400 audit(1545150760.193:4): apparmor="DENIED" operation="signal" profile="/usr/sbin/kopano-server" pid=3554 comm="kopano-server" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
> [617694.466354] audit: type=1400 audit(1545150764.941:6): apparmor="DENIED" operation="open" profile="/usr/sbin/kopano-search" name="/usr/sbin/" pid=3781 comm="kopano-search" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> [617694.565893] audit: type=1400 audit(1545150765.041:7): apparmor="DENIED" operation="open" profile="/usr/sbin/kopano-search" name="/proc/3785/fd/" pid=3785 comm="kopano-search" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> [617694.579115] audit: type=1400 audit(1545150765.053:8): apparmor="DENIED" operation="open" profile="/usr/sbin/kopano-search" name="/proc/3786/fd/" pid=3786 comm="kopano-search" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> [617694.582106] audit: type=1400 audit(1545150765.057:9): apparmor="DENIED" operation="open" profile="/usr/sbin/kopano-search" name="/etc/magic" pid=3781 comm="kopano-search" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> [617694.585391] audit: type=1400 audit(1545150765.057:10): apparmor="DENIED" operation="open" profile="/usr/sbin/kopano-search" name="/etc/magic" pid=3781 comm="kopano-search" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> [617694.853944] audit: type=1400 audit(1545150765.329:11): apparmor="DENIED" operation="open" profile="/usr/sbin/kopano-search" name="/etc/ssl/openssl.cnf" pid=3781 comm="kopano-search" requested_mask="r" denied_mask="r" fsuid=108 ouid=0
> [617694.934927] audit: type=1400 audit(1545150765.409:12): apparmor="DENIED" operation="mkdir" profile="/usr/sbin/kopano-search" name="/usr/lib/python3/dist-packages/xapian/__pycache__/" pid=3781 comm="kopano-search" requested_mask="c" denied_mask="c" fsuid=108 ouid=108
The read access to /etc/magic and the SSL config are clear I think, the
access to /proc/$PID/fd should also be no problem. For rest my knowledge
how to read these is simply not enough.
If someone can guide me what to add we could address this in the next
upload. Until now I'd add this.
> diff --git a/debian/apparmor/usr.sbin.kopano-search b/debian/apparmor/usr.sbin.kopano-search
> index d61a2429..daa90e42 100644
> --- a/debian/apparmor/usr.sbin.kopano-search
> +++ b/debian/apparmor/usr.sbin.kopano-search
> @@ -14,6 +14,7 @@
> capability setuid,
>
> @{PROC}/@{pid}/cmdline r,
> + @{PROC}/@{pid}/fd r,
> @{PROC}/@{pid}/mounts r,
> @{PROC}/@{pid}/status r,
> @{PROC}/@{pid}/task/@{tid}/comm rw,
> @@ -31,6 +32,8 @@
> /usr/sbin/kopano-search r,
>
> /etc/kopano/search.cfg r,
> + /etc/magic r,
> + /etc/ssl/openssl.cnf r,
>
> /bin/dash Pix,
> /bin/rm Pix,
--
Regards
Carsten Schoenert
More information about the Pkg-giraffe-discuss
mailing list