Here's a patch to fix this for trusty. ** Patch added: "php5-Zend_semaphore-lp1401084.patch" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1401084/+attachment/4399530/+files/php5-Zend_semaphore-lp1401084.patch
** Description changed: + [impact] + + This bug prevents the proper functioning of apache mod_php with + mod_apparmor. + + [steps to reproduce] + + 1) setuo apache and mod_php, verify php scripts are working + 2) stop apache2 + 3) install mod_apparmor + 4) restart apache2 + 5) with fix applied, apache should not generate rejections for /tmp/.ZendSem.* + for php scripts confined by mod_apparmor + + [regression potential] + + The change to the php abstraction in the patch for this bug is a + slight loosening of the apparmor policy. The risk of an introduced + regression is small. + + [original description] + I am using apache mod_apparmor with a wordpress blog. In my rules I have: #include <abstractions/php5> But this did not allow all access that was needed: apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0 apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="wk" denied_mask="wk" fsuid=33 ouid=0 This access seems to be needed by opcache module, I found some info about it here: https://lists.ubuntu.com/archives/apparmor/2014-June/005879.html Ubuntu 14.04.1 apparmor 2.8.95~2430-0ubuntu5.1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1401084 Title: Missing rules in php5 abstraction Status in apparmor package in Ubuntu: Fix Released Bug description: [impact] This bug prevents the proper functioning of apache mod_php with mod_apparmor. [steps to reproduce] 1) setuo apache and mod_php, verify php scripts are working 2) stop apache2 3) install mod_apparmor 4) restart apache2 5) with fix applied, apache should not generate rejections for /tmp/.ZendSem.* for php scripts confined by mod_apparmor [regression potential] The change to the php abstraction in the patch for this bug is a slight loosening of the apparmor policy. The risk of an introduced regression is small. [original description] I am using apache mod_apparmor with a wordpress blog. In my rules I have: #include <abstractions/php5> But this did not allow all access that was needed: apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0 apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="wk" denied_mask="wk" fsuid=33 ouid=0 This access seems to be needed by opcache module, I found some info about it here: https://lists.ubuntu.com/archives/apparmor/2014-June/005879.html Ubuntu 14.04.1 apparmor 2.8.95~2430-0ubuntu5.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1401084/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
