Bug#955479: apparmor fixes for xline_db and geoip
Hi There On Fri, 2021-01-22 at 05:20 +0900, Marc Dequènes (duck) wrote: > Quack, > > On 2021-01-17 02:20, Filippo Giunchedi wrote: > > On Wed, Apr 01, 2020 at 07:03 PM, Marc Dequènes wrote: > > > I added this line to the apparmor policy: > > > /usr/share/GeoIP/GeoIP.dat r, > > > > > > Btw the package could also Suggest geoip-database needed for this > > > module. > > > > Thank you for the report, I'm not an apparmor expert but I'm happy to > > include support in the package (at > > https://salsa.debian.org/debian/inspircd) > > > > Suggesting 'geoip-database' is a good idea, I'll add that! > > […] > > Another suggestion: to allow admins to add little fixes or adaptations > to the apparmor policy I saw that several packages include a file in > /etc/apparmor.d/local/ (chronyd for eg), which is ignored if the file is > missing, very practical. For Inspircd that would give (at the end of the > rules but inside the braquets): > #include This Bug hit me too for using the permchannel module. It would really really help us, if at least the #include would make it to the next debian release. greeting and thanks Björn Lässig
Bug#955479: apparmor fixes for xline_db and geoip
Quack, On 2021-01-17 02:20, Filippo Giunchedi wrote: On Wed, Apr 01, 2020 at 07:03 PM, Marc Dequènes wrote: I added this line to the apparmor policy: /usr/share/GeoIP/GeoIP.dat r, Btw the package could also Suggest geoip-database needed for this module. Thank you for the report, I'm not an apparmor expert but I'm happy to include support in the package (at https://salsa.debian.org/debian/inspircd) Suggesting 'geoip-database' is a good idea, I'll add that! So that works for Inspircd v2. Not sure that's of much value now since the release is close. v3 now uses the GeoLite2 DB and that's not available without registration IIUC. But for people OK to register there is the geoipupdate package that can use a token to download it. I have no idea where it stores the files but it should not be difficult to get this information. Then you can simply update the path in the apparmor profile. Another suggestion: to allow admins to add little fixes or adaptations to the apparmor policy I saw that several packages include a file in /etc/apparmor.d/local/ (chronyd for eg), which is ignored if the file is missing, very practical. For Inspircd that would give (at the end of the rules but inside the braquets): #include Hope that helps. \_o< -- Marc Dequènes
Bug#955479: apparmor fixes for xline_db and geoip
On Wed, Apr 01, 2020 at 07:03 PM, Marc Dequènes wrote: > I added this line to the apparmor policy: > /usr/share/GeoIP/GeoIP.dat r, > > Btw the package could also Suggest geoip-database needed for this module. Thank you for the report, I'm not an apparmor expert but I'm happy to include support in the package (at https://salsa.debian.org/debian/inspircd) Suggesting 'geoip-database' is a good idea, I'll add that!
Bug#955479: apparmor fixes for xline_db and geoip
Package: inspircd Version: 2.0.27-1 Severity: normal Quack, If you use the xline_db module and try to list or add lines you end-up with the following error: Wed Apr 1 11:01:50 2020: ANNOUNCEMENT: database: cannot create new db: Permission denied (13) Indeed inspircd is not allowed to create a new database (which is then renamed to the previous file, see src/modules/m_xline_db.cpp): type=AVC msg=audit(1585731820.176:604602): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/etc/inspircd/xline.db.new" pid=28308 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39 I guess it would be even better to create such files in /var/lib/inspircd but the package does not provide it. I nevertheless did the change myself and added this line to the apparmor policy: /var/lib/inspircd/* rw, Similar problem when trying to use the geoip module: Apr 01 11:28:40 Jinta inspircd[7048]: Error Opening file /usr/share/GeoIP/GeoIP.dat Apr 01 11:28:40 Jinta inspircd[7048]: [*] Unable to initialize m_geoip.so: Unable to initialize geoip, are you missing GeoIP.dat? and: type=AVC msg=audit(1585733319.998:605041): apparmor="DENIED" operation="open" profile="/usr/sbin/inspircd" name="/usr/share/GeoIP/GeoIP.dat" pid=7048 comm="inspircd" requested_mask="r" denied_mask="r" fsuid=39 ouid=0 I added this line to the apparmor policy: /usr/share/GeoIP/GeoIP.dat r, Btw the package could also Suggest geoip-database needed for this module. Regards. \_o< -- Marc Dequènes