lighttpd profile does not work

Bug #582814 reported by Teka
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Low
Jamie Strandboge

Bug Description

Binary package hint: apparmor

Binary package hint: apparmor-profiles

The apparmor profile for lighttpd provided by the apparmor-profiles package does not work out-of-the-box.

Looking over syslog, it appears there are seven types of audit entries (one of each follows):
  operation="exec" profile="/usr/sbin/lighttpd" requested_mask="x::" denied_mask="x::" fsuid=0 ouid=0 name="/usr/share/lighttpd/create-mime.assign.pl"
  operation="exec" profile="/usr/sbin/lighttpd" requested_mask="x::" denied_mask="x::" fsuid=0 ouid=0 name="/usr/share/lighttpd/include-conf-enabled.pl"
  operation="mknod" profile="/usr/sbin/lighttpd" requested_mask="c::" denied_mask="c::" fsuid=33 ouid=33 name="/tmp/php.socket-0"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/lighttpd/conf-enabled/"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/etc/mime.types"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/usr/share/lighttpd/create-mime.assign.pl"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/usr/share/lighttpd/include-conf-enabled.pl"
  operation="open" profile="/usr/sbin/lighttpd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/usr/share/perl/5.10.1/strict.pm"

In order to fix this, i add theses line in usr.sbin.lighttpd:
# Perl script of configuration
   #include <abstractions/perl>
   /usr/share/lighttpd r,
   /usr/share/lighttpd/*.pl rmix,

# Support PHP5 with FastCGI
   #include <abstractions/php5>
   /tmp/php.socket* w,

# Require mimes
   /etc/mime.types r,

# Configuration
   /etc/lighttpd/conf-*/ r,
   /etc/lighttpd/conf-*/*.conf r,

Related branches

Changed in apparmor (Ubuntu):
status: New → Triaged
Kees Cook (kees)
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Medium → Low
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6.1-0ubuntu3

---------------
apparmor (2.6.1-0ubuntu3) natty; urgency=low

  * debian/patches/0003-add-debian-integration-to-lighttpd.patch: updates for
    lighttpd example profile to work in Debian/Ubuntu (LP: #582814)
  * debian/patches/0004-lp754889.patch: add several image viewers to
    ubuntu-browsers.d/multimedia abstraction (LP: #754889)
  * debian/patches/0005-lp761217.patch: abstractions/private-files updates for
    zsh and several other shells (LP: #761217)
  * debian/patches/0001-add-chromium-browser.patch: fixes for multiarch and
    crash reporter (LP: #764786)
 -- Jamie Strandboge <email address hidden> Mon, 18 Apr 2011 09:23:50 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.