apparmor DENIED errors
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squid (Ubuntu) |
Fix Released
|
Low
|
Andreas Hasenack |
Bug Description
When the squid apparmor profile is enabled, two types of apparmor errors appear in the kernel logs:
audit: type=1400 audit(153726531
and
audit: type=1400 audit(153759645
These can be resolved via these changes to the apparmor profile:
diff --git a/debian/
index 07a9642ab.
--- a/debian/
+++ b/debian/
@@ -3,7 +3,7 @@
# vim:syntax=apparmor
#include <tunables/global>
-/usr/sbin/squid {
+/usr/sbin/squid flags=(
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
@@ -18,6 +18,7 @@
# alternatively include the <abstractions/
# gives read access to the entire contents of /etc/ssl
+ capability net_admin,
capability net_raw,
capability setuid,
capability setgid,
Related branches
- Robie Basak: Approve
- Canonical Server: Pending requested
-
Diff: 461 lines (+336/-5)11 files modifieddebian/changelog (+123/-0)
debian/control (+5/-3)
debian/patches/90-cf.data.ubuntu.patch (+16/-0)
debian/patches/99-ubuntu-ssl-cert-snakeoil.patch (+22/-0)
debian/patches/fix-rotate-assertion.patch (+26/-0)
debian/patches/fix-uninitialized-var.patch (+25/-0)
debian/patches/series (+4/-0)
debian/rules (+11/-2)
debian/squid.install (+3/-0)
debian/squid.preinst (+15/-0)
debian/usr.sbin.squid (+86/-0)
Changed in squid (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | Triaged → In Progress |
Brief irc conversation about these changes, from https:/ /irclogs. ubuntu. com/2018/ 10/04/% 23ubuntu- devel.html# t18:22: d/usr.sbin. squid: https:/ /pastebin. ubuntu. com/p/R6Z84Zdsf P/ d/usr.sbin. squid
out 04 15:22:27 <ahasenack> infinity: apply this to /etc/apparmor.
out 04 15:22:41 <ahasenack> then issue sudo apparmor_parser -r -T -W /etc/apparmor.
out 04 15:22:52 <ahasenack> jdstrand: looks ok? ^
(...)
out 04 15:27:28 <jdstrand> ahasenack: lgtm
out 04 15:27:33 <ahasenack> jdstrand: thx
Mentioned pastebin is: d/usr.sbin. squid d/usr.sbin. squid
--- etc/apparmor.
+++ etc/apparmor.
@@ -3,7 +3,7 @@
# vim:syntax=apparmor
#include <tunables/global>
-/usr/sbin/squid { attach_ disconnected) { kerberosclient> nameservice> ssl_keys> abstraction, which
+/usr/sbin/squid flags=(
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
@@ -18,6 +18,7 @@
# alternatively include the <abstractions/
# gives read access to the entire contents of /etc/ssl
+ capability net_admin,
capability net_raw,
capability setuid,
capability setgid,