Bug#919242: fails to start with apparmor enabled

Hendrik Jaeger Sat, 01 May 2021 02:09:18 -0700

Hi

I run into a similar problem running quassel-core with the provided
init-script as a system service.
Excerpts from the audit.log are attached.


The problem is first that the ssl keyfile in /etc/ssl/private/ can not
be read. After adding this line to
/etc/apparmor.d/local/usr.bin.quasselcore
a number of other files are becoming the issue.
Also the process cannot be handled by the init-script anymore because
it’s not allowed to receive signals, it seems.
I added the following lines the local apparmor profile before giving up:
/usr/bin/quasselcore {
  #include <abstractions/qt5>

  /etc/ssl/private/quassel.example.org.key r,
  /lib/i386-linux-gnu/libdl-2.28.so rm,
  /lib/i386-linux-gnu/libz.so.1.2.11 rm,
  signal (receive),
}

I then decided to just disable the apparmor profile.

This profile is provided by the apparmor package, so I’m adding onto
this package.

As it seems to make the package unusable (or maybe just with sysvinit?)
this is IMHO not wishlist but at least serious.

Is this possibly related to and fixed by #940482?

Thanks!

Hendrik

type=AVC msg=audit(1619561765.074:5182): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ssl/private/quassel.example.org.key" pid=1006 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619561787.225:5188): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/quasselcore" pid=1111 comm="apparmor_parser"
type=AVC msg=audit(1619561792.697:5191): apparmor="DENIED" operation="signal" profile="/usr/bin/quasselcore" pid=1149 comm="start-stop-daem" requested_mask="receive" denied_mask="receive" signal=term peer="unconfined"
type=AVC msg=audit(1619561792.729:5192): apparmor="DENIED" operation="signal" profile="/usr/bin/quasselcore" pid=1173 comm="start-stop-daem" requested_mask="receive" denied_mask="receive" signal=exists peer="unconfined"
type=AVC msg=audit(1619561863.707:5203): apparmor="DENIED" operation="signal" profile="/usr/bin/quasselcore" pid=1419 comm="start-stop-daem" requested_mask="receive" denied_mask="receive" signal=term peer="unconfined"
type=AVC msg=audit(1619561863.735:5204): apparmor="DENIED" operation="signal" profile="/usr/bin/quasselcore" pid=1444 comm="start-stop-daem" requested_mask="receive" denied_mask="receive" signal=exists peer="unconfined"
type=AVC msg=audit(1619561878.338:5206): apparmor="DENIED" operation="signal" profile="/usr/bin/quasselcore" pid=17822 comm="zsh" requested_mask="receive" denied_mask="receive" signal=term peer="unconfined"
type=AVC msg=audit(1619561889.466:5207): apparmor="DENIED" operation="signal" profile="/usr/bin/quasselcore" pid=1574 comm="start-stop-daem" requested_mask="receive" denied_mask="receive" signal=term peer="unconfined"
type=AVC msg=audit(1619561899.978:5209): apparmor="DENIED" operation="signal" profile="/usr/bin/quasselcore" pid=17822 comm="zsh" requested_mask="receive" denied_mask="receive" signal=term peer="unconfined"
type=AVC msg=audit(1619561979.279:5216): apparmor="DENIED" operation="signal" profile="/usr/bin/quasselcore" pid=17822 comm="zsh" requested_mask="receive" denied_mask="receive" signal=term peer="unconfined"
type=AVC msg=audit(1619562153.658:5235): apparmor="DENIED" operation="signal" profile="/usr/bin/quasselcore" pid=2364 comm="start-stop-daem" requested_mask="receive" denied_mask="receive" signal=term peer="unconfined"
type=AVC msg=audit(1619562190.033:5241): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/quasselcore" pid=2568 comm="apparmor_parser"
type=AVC msg=audit(1619562193.076:5245): apparmor="DENIED" operation="mknod" profile="/usr/bin/quasselcore" name="/var/lib/quassel/quassel-storage.sqlite-journal" pid=1006 comm="quasselcore" requested_mask="c" denied_mask="c" fsuid=103 ouid=103
type=AVC msg=audit(1619562193.116:5246): apparmor="DENIED" operation="mknod" profile="/usr/bin/quasselcore" name="/var/lib/quassel/quassel-storage.sqlite-journal" pid=1006 comm="QThread" requested_mask="c" denied_mask="c" fsuid=103 ouid=103
type=AVC msg=audit(1619562193.120:5247): apparmor="DENIED" operation="mknod" profile="/usr/bin/quasselcore" name="/var/lib/quassel/quassel-storage.sqlite-journal" pid=1006 comm="QThread" requested_mask="c" denied_mask="c" fsuid=103 ouid=103
type=AVC msg=audit(1619562193.120:5248): apparmor="DENIED" operation="mknod" profile="/usr/bin/quasselcore" name="/var/lib/quassel/quassel-storage.sqlite-journal" pid=1006 comm="QThread" requested_mask="c" denied_mask="c" fsuid=103 ouid=103
type=AVC msg=audit(1619562193.124:5249): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/proc/sys/vm/overcommit_memory" pid=1006 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619562193.124:5250): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/sys/devices/system/cpu/online" pid=1006 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619562193.124:5251): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/proc/stat" pid=1006 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619562193.124:5252): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/proc/cpuinfo" pid=1006 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619562193.168:5253): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ld.so.cache" pid=2656 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619562193.168:5254): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/usr/lib/i386-linux-gnu/libQt5Network.so.5.11.3" pid=2656 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619562206.408:5255): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ld.so.cache" pid=2774 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619562206.408:5256): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/usr/lib/i386-linux-gnu/libQt5Network.so.5.11.3" pid=2774 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619784848.745:46372): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ld.so.cache" pid=26100 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619784848.745:46373): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/usr/lib/i386-linux-gnu/libQt5Network.so.5.11.3" pid=26100 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619784950.830:46396): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/quasselcore" pid=26550 comm="apparmor_parser"
type=AVC msg=audit(1619784953.270:46399): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ld.so.cache" pid=26605 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619784953.282:46400): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/quasselcore" name="/usr/lib/i386-linux-gnu/libQt5Network.so.5.11.3" pid=26605 comm="quasselcore" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
type=AVC msg=audit(1619784966.490:46406): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/quasselcore" pid=26717 comm="apparmor_parser"
type=AVC msg=audit(1619784968.714:46409): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ld.so.cache" pid=26777 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619784968.946:46410): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/lib/i386-linux-gnu/libdl-2.28.so" pid=26777 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619784995.397:46416): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/quasselcore" pid=26905 comm="apparmor_parser"
type=AVC msg=audit(1619784996.993:46419): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ld.so.cache" pid=26960 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619784996.993:46420): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/lib/i386-linux-gnu/libz.so.1.2.11" pid=26960 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619785011.516:46427): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/quasselcore" pid=27047 comm="apparmor_parser"
type=AVC msg=audit(1619785012.876:46430): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ld.so.cache" pid=27102 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619785012.876:46431): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/usr/lib/i386-linux-gnu/libQt5Script.so.5.11.3" pid=27102 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619785027.496:46443): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/quasselcore" pid=27181 comm="apparmor_parser"
type=AVC msg=audit(1619785029.228:46446): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ld.so.cache" pid=27235 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619785029.248:46447): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/usr/lib/i386-linux-gnu/libQt5Sql.so.5.11.3" pid=27235 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619785127.765:46465): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/etc/ld.so.cache" pid=27610 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
type=AVC msg=audit(1619785127.765:46466): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/usr/lib/i386-linux-gnu/libQt5Sql.so.5.11.3" pid=27610 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=103 ouid=0

pgpT4SLCU0FQo.pgp
Description: OpenPGP digital signature

Bug#919242: fails to start with apparmor enabled

Reply via email to