apparmor sample profile for lighttpd missing entries

Bug #1285653 reported by ks_lp on 2014-02-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Seth Arnold

Bug Description

/usr/share/doc/apparmor-profiles/extras/usr.sbin.lighttpd is missing some directories:

/etc/lighttpd/conf-available/ r,
 /etc/lighttpd/conf-available/*.conf r,
 /var/www/* r,

The two first are to be able to enable modules, the third is where files (e.g. *.html) are served from.

1) lighttpd does not start when a module is enabled.
Example:
/usr/sbin/lighty-enable-mod
enable access logging module "accesslog" and restart lighttpd (or reload config)
syslog shows:
Feb 27 07:11:20 localhost kernel: [685075.349141] type=1400 audit(1393503080.987:133): apparmor="DENIED" operation="open" parent=10213 profile="/usr/sbin/lighttpd" name="/etc/lighttpd/conf-available/10-accesslog.conf" pid=10218 comm="lighttpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=33

2) lighttpd does not have access to web files
Any attempts at connecting to the web server results in syslog:
Feb 27 07:18:03 localhost kernel: [685478.188512] type=1400 audit(1393503483.827:153): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/lighttpd" name="/var/www/index.html" pid=10479 comm="lighttpd" requested_mask="r" denied_mask="r" fsuid=33 ouid=0

ks_lp (kian-spongsveen) wrote :

Tested on Ubuntu 13.10

Jamie Strandboge (jdstrand) wrote :

This needs two patches: one to adjust 0002-add-debian-integration-to-lighttpd.patch and one to adjust abstractions/web-data. Attached is a patch to the former.

Changed in apparmor (Ubuntu):
assignee: nobody → Seth Arnold (seth-arnold)
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

And here is the patch for the latter. This uses /var/www/html instead though, since we'll fix this in 14.04 and that is the standard document root in Debian and its derivatives.

tags: added: patch
Launchpad Janitor (janitor) wrote :
Download full text (3.6 KiB)

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu1

---------------
apparmor (2.8.95~2430-0ubuntu1) trusty; urgency=low

  [ Jamie Strandboge ]

   * debian/debhelper/dh_apparmor: exit with error if aa-easyprof does not
     exist
   * debian/control: drop Depends on apparmor-easyprof to Suggests for
     dh-apparmor

  [ Seth Arnold, Jamie Strandboge, Steve Beattie, John Johansen, Tyler Hicks ]

  * New upstream snapshot (LP: #1278702, #1061693, #1285653) dropping very
    large Ubuntu delta and fixing the following bugs:
    - Adjust fonts abstraction for libthai (LP: #1278702)
    - Support translated XDG user directories (LP: #1061693)
    - Adjust abstractions/web-data to include /var/www/html (LP: #1285653)
      Refresh 0002-add-debian-integration-to-lighttpd.patch to include
      /etc/lighttpd/conf-available/*.conf
    - Adjust debian/libapparmor1.symbols to reflect new upstream versioning
      for the aa_query_label() function
    - Raise exceptions in Python bindings when something fails
  * ship new Python replacements for previous Perl-based tools
    - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and
      add usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof
    - debian/control:
      + remove various Perl dependencies
      + add python-apparmor and python3-apparmor
      + python3-apparmor Breaks: apparmor-easyprof to move the file since it
        ships dist-packages/apparmor/__init__.py now
    - debian/apparmor-utils.manpages: ship new manpages for aa-cleanprof and
      aa-mergeprof
    - debian/rules: build and install Python tools
  * debian/apparmor.install:
    - install apparmorfs, dovecot, kernelvars, securityfs, sys,
      and xdg-user-dirs tunables and xdg-user-dirs.d directory
  * debian/apparmor.dirs:
    - install /etc/apparmor.d/tunables/xdg-user-dirs.d
  * debian/rules: delete upstream-provided xdg-user-dirs.d/site.local
  * debian/apparmor.postinst: create xdg-user-dirs.d/site.local
  * debian/apparmor.postrm: remove xdg-user-dirs.d
  * Remaining patches:
    - add-chromium-browser.patch
    - add-debian-integration-to-lighttpd.patch
    - ubuntu-manpage-updates.patch
    - libapparmor-layout-deb.patch
    - libapparmor-mention-dbus-method-in-getcon-man.patch
    - etc-writable.patch
    - aa-utils_are_bilingual.patch
  * New patches:
    - convert-to-rules.patch
    - list-fns.patch
    - parse-mode.patch
    - add-decimal-interp.patch
    - policy_mediates.patch
    - fix-failpath.patch
    - feature_file.patch
    - fix-network.patch
    - aare-to-class.patch
    - add-mediation-unix.patch
    - parser_version.patch
    - caching.patch
    - label-class.patch
    - fix-lexer-debug.patch
    - use-diff-encode.patch
    - fix-serialize.patch
    - fix-ppc-endian-ftbfs.patch
    - opt_arg.patch
    - tests-cond-dbus.patch
  * Move manpages from libapparmor1 to libapparmor-dev
    - debian/libapparmor-dev.manpages: install aa_change_hat.2,
      aa_change_profile.2, aa_find_mountpoint.2, aa_getcon.2
    - debian/control: libapparmor-dev Replaces: and Breaks: libapparmor1
  * Move /usr/lib/python3/dist-packages/apparmor/__init__.py from
    apparmor-eas...

Read more...

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers