Bug#909523: [pkg-apparmor] Bug#909523: cachefilesd broken by apparmor
Control: tag -1 - moreinfo Control: retitle -1 Default configuration is incompatible with a non-SELinux active LSM Control: severity -1 important Anthony DeRobertis: > Seems your hypothesis is correct. > [...] > I then went ahead and edited cachefilesd.conf and commented out the > secctx line. After that, cachefilesd started successfully. Thanks for the quick turnaround! Dear cachefilesd maintainers, see my previous message for the course of action I recommend: AppArmor is much more used on Debian than SELinux and will likely be enabled by default on Buster, so shipping a default configuration that breaks when a non-SELinux LSM is enabled will provide a pretty bad user experience (and will likely become RC at some point). Cheers, -- intrigeri
Bug#909523: [pkg-apparmor] Bug#909523: cachefilesd broken by apparmor
On Sun, Oct 21, 2018 at 10:24:46AM +0200, intrigeri wrote: > > Can you please retry with AppArmor enabled, after commenting out the > "secctx" directive in /etc/cachefilesd.conf? If this works, then my > hypothesis will be confirmed and my recommendation will be: Seems your hypothesis is correct. I rebooted and removed apparmor=0 from the kernel command line, thus re-enabling AppArmor. Cachefilesd failed again (as expected). I then went ahead and edited cachefilesd.conf and commented out the secctx line. After that, cachefilesd started successfully.
Bug#909523: [pkg-apparmor] Bug#909523: cachefilesd broken by apparmor
Control: user pkg-apparmor-t...@lists.alioth.debian.org Control: usertags -1 help-needed Control: tag -1 + moreinfo Hi, Anthony DeRobertis: > I rebooted after enabling Apparmor, and cachefilesd wouldn't start: > Sep 24 13:53:17 Zia cachefilesd[1105]: About to bind cache > Sep 24 13:53:17 Zia kernel: CacheFiles: Security denies permission to > nominate security context: error -2 > Sep 24 13:53:17 Zia cachefilesd[1105]: CacheFiles bind failed: errno 2 (No > such file or directory) > Sep 24 13:53:17 Zia cachefilesd[1052]: Starting FilesCache daemon : > cachefilesd failed! > Sep 24 13:53:17 Zia systemd[1]: cachefilesd.service: Control process exited, > code=exited status=1 > Sep 24 13:53:17 Zia systemd[1]: cachefilesd.service: Failed with result > 'exit-code'. > Sep 24 13:53:17 Zia systemd[1]: Failed to start LSB: CacheFiles daemon. > Rebooting with apparmor=0 on the kernel command line makes it work > again. Wow, interesting! cachefilesd does not come with an AppArmor profile and at first glance I had no idea how enabling AppArmor could possibly affect cachefilesd. Still, I acknowledge that your test results demonstrate that it does so I took a closer look. The failing code is: https://sources.debian.org/src/cachefilesd/0.10.10-0.1/cachefilesd.c/#L557 In this context, cachefd is a FD for /dev/cachefiles. And indeed, the error message comes from the cachefiles kernel module: https://sources.debian.org/src/linux/4.18.10-2/fs/cachefiles/security.c/?hl=37#L37 Note that cachefilesd.conf(5) reads: "Furthermore, this will tell the kernel module the security context it should use when accessing the cache (SELinux is assumed to be the LSM in this example)" and /etc/cachefilesd.conf has a secctx directive whose parameter is clearly SELinux-specific and has no chance to work when AppArmor is the active LSM. So my current hypothesis is that the default configuration assumes that there is either no active LSM (fine on Stretch or when disabling AppArmor on testing/sid) or SELinux is the active LSM (which is a rare configuration on Debian). This assumption is flawed in a Debian context. Can you please retry with AppArmor enabled, after commenting out the "secctx" directive in /etc/cachefilesd.conf? If this works, then my hypothesis will be confirmed and my recommendation will be: - The default /etc/cachefilesd.conf shipped by the package should *not* enable that directive. - Ideally, README.Debian or a comment in cachefilesd.conf would suggest SELinux users to enable that directive. - On the long term, once AppArmor supports labeling, then plausibly secctx can be re-enabled, with a value that works with AppArmor (probably not "system_u:system_r:cachefiles_kernel_t:s0"). Cheers, -- intrigeri
Bug#909523: cachefilesd broken by apparmor
I can confirm both the issue and the workaround. Online sources seem to indicate that one can write an AppArmor profile for any daemon... I'm more than happy to contribute by testing and get this one solved. Kr, Vincent
Bug#909523: cachefilesd broken by apparmor
Package: cachefilesd Version: 0.10.10-0.1 Severity: important Important since Apparmor is on by default now. I rebooted after enabling Apparmor, and cachefilesd wouldn't start: Sep 24 13:53:17 Zia cachefilesd[1105]: About to bind cache Sep 24 13:53:17 Zia kernel: CacheFiles: Security denies permission to nominate security context: error -2 Sep 24 13:53:17 Zia cachefilesd[1105]: CacheFiles bind failed: errno 2 (No such file or directory) Sep 24 13:53:17 Zia cachefilesd[1052]: Starting FilesCache daemon : cachefilesd failed! Sep 24 13:53:17 Zia systemd[1]: cachefilesd.service: Control process exited, code=exited status=1 Sep 24 13:53:17 Zia systemd[1]: cachefilesd.service: Failed with result 'exit-code'. Sep 24 13:53:17 Zia systemd[1]: Failed to start LSB: CacheFiles daemon. Trying a few more times (after the system booted) also produced the same error each time: Sep 24 13:57:12 Zia systemd[1]: Starting LSB: CacheFiles daemon... Sep 24 13:57:13 Zia cachefilesd[6213]: About to bind cache Sep 24 13:57:13 Zia cachefilesd[6213]: CacheFiles bind failed: errno 2 (No such file or directory) Sep 24 13:57:13 Zia kernel: CacheFiles: Security denies permission to nominate security context: error -2 Sep 24 13:57:13 Zia cachefilesd[6208]: Starting FilesCache daemon : cachefilesd failed! Sep 24 13:57:13 Zia systemd[1]: cachefilesd.service: Control process exited, code=exited status=1 Sep 24 13:57:13 Zia systemd[1]: cachefilesd.service: Failed with result 'exit-code'. Sep 24 13:57:13 Zia systemd[1]: Failed to start LSB: CacheFiles daemon. Rebooting with apparmor=0 on the kernel command line makes it work again. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing'), (200, 'unstable'), (150, 'stable'), (100, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en_GB (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages cachefilesd depends on: ii libc6 2.27-6 cachefilesd recommends no packages. cachefilesd suggests no packages. -- Configuration Files: /etc/cachefilesd.conf changed [not included] /etc/default/cachefilesd changed [not included] /etc/init.d/cachefilesd changed [not included] /etc/logcheck/ignore.d.workstation/cachefilesd [Errno 13] Permission denied: '/etc/logcheck/ignore.d.workstation/cachefilesd' -- no debconf information