lighttpd profile does not work

Bug #582814 reported by Teka
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Jamie Strandboge

Bug Description

Binary package hint: apparmor

Binary package hint: apparmor-profiles

The apparmor profile for lighttpd provided by the apparmor-profiles package does not work out-of-the-box.

Looking over syslog, it appears there are seven types of audit entries (one of each follows):
  operation="exec" profile="/usr/sbin/lighttpd" requested_mask="x::" denied_mask="x::" fsuid=0 ouid=0 name="/usr/share/lighttpd/create-mime.assign.pl"
  operation="exec" profile="/usr/sbin/lighttpd" requested_mask="x::" denied_mask="x::" fsuid=0 ouid=0 name="/usr/share/lighttpd/include-conf-enabled.pl"
  operation="mknod" profile="/usr/sbin/lighttpd" requested_mask="c::" denied_mask="c::" fsuid=33 ouid=33 name="/tmp/php.socket-0"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/lighttpd/conf-enabled/"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/mime.types"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/usr/share/lighttpd/create-mime.assign.pl"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/usr/share/lighttpd/include-conf-enabled.pl"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/usr/share/perl/5.10.1/strict.pm"

In order to fix this, i add theses line in usr.sbin.lighttpd:
# Perl script of configuration
   #include <abstractions/perl>
   /usr/share/lighttpd r,
   /usr/share/lighttpd/*.pl rmix,

# Support PHP5 with FastCGI
   #include <abstractions/php5>
   /tmp/php.socket* w,

# Require mimes
   /etc/mime.types r,

# Configuration
   /etc/lighttpd/conf-*/ r,
   /etc/lighttpd/conf-*/*.conf r,

Related branches

Changed in apparmor (Ubuntu):
status: New → Triaged
Kees Cook (kees)
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Medium → Low
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6.1-0ubuntu3

---------------
apparmor (2.6.1-0ubuntu3) natty; urgency=low

  * debian/patches/0003-add-debian-integration-to-lighttpd.patch: updates for
    lighttpd example profile to work in Debian/Ubuntu (LP: #582814)
  * debian/patches/0004-lp754889.patch: add several image viewers to
    ubuntu-browsers.d/multimedia abstraction (LP: #754889)
  * debian/patches/0005-lp761217.patch: abstractions/private-files updates for
    zsh and several other shells (LP: #761217)
  * debian/patches/0001-add-chromium-browser.patch: fixes for multiarch and
    crash reporter (LP: #764786)
 -- Jamie Strandboge <email address hidden> Mon, 18 Apr 2011 09:23:50 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers