Package: ejabberd
Version: 17.08-3
Severity: normal
Tags: patch
Dear Maintainer,
I have discovered number of DENIED messages produced by AppArmor, due to the
fact that I have `usrmerge` package installed, and some additional rules
missing:
```
type=AVC msg=audit(1512580362.337:361): apparmor="DENIED" operation="exec"
profile="/usr/sbin/ejabberdctl" name="/usr/bin/date" pid=4369
comm="ejabberdctl" requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1512580362.337:363): apparmor="DENIED" operation="exec"
profile="/usr/sbin/ejabberdctl" name="/usr/bin/sed" pid=4370 comm="ejabberdctl"
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1512580362.341:371): apparmor="DENIED" operation="exec"
profile="/usr/sbin/ejabberdctl" name="/usr/bin/cat" pid=4376 comm="ejabberdctl"
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1512580362.345:377): apparmor="DENIED" operation="exec"
profile="/usr/sbin/ejabberdctl" name="/usr/bin/dash" pid=4384 comm="erlexec"
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1512580371.446:390): apparmor="DENIED" operation="exec"
profile="/usr/sbin/ejabberdctl" name="/usr/bin/sleep" pid=4433
comm="ejabberdctl" requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1512580380.670:414): apparmor="DENIED" operation="exec"
profile="/usr/sbin/ejabberdctl" name="/usr/bin/grep" pid=4502
comm="ejabberdctl" requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1512828616.371:196): apparmor="DENIED" operation="capable"
profile="/usr/sbin/ejabberdctl" pid=3595 comm="sed" capability=2
capname="dac_read_search"
type=SYSCALL msg=audit(1512828616.371:196): arch=c000003e syscall=2 success=yes
exit=3 a0=7ffcb9d94850 a1=0 a2=1b6 a3=0 items=0 ppid=3592 pid=3595 auid=1000
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3
comm="sed" exe="/usr/bin/sed" key=(null)
type=PROCTITLE msg=audit(1512828616.371:196):
proctitle=36564002F5E6C6F675F726F746174655F636F756E742F21643B732F3A5B205C745D2A5C285B302D395D2A5C292E2A2F205C312F3B732F5E2F202F002F6574632F656A6162626572642F656A6162626572642E796D6C
(here proctitle= sed\x00/^log_rotate_count/!d;s/:[ \\t]*\\([0-9]*\\).*/
\\1/;s/^/ /\x00/etc/ejabberd/ejabberd.yml)
```
Patch isattached to fix these issues.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ejabberd depends on:
ii adduser 3.116
ii debconf [debconf-2.0] 1.5.65
ii erlang-asn1 1:20.1.7+dfsg-1
ii erlang-base [erlang-abi-17.0] 1:20.1.7+dfsg-1
ii erlang-crypto 1:20.1.7+dfsg-1
ii erlang-inets 1:20.1.7+dfsg-1
ii erlang-jiffy 0.14.11+dfsg-2
ii erlang-lager 3.5.2-1
ii erlang-mnesia 1:20.1.7+dfsg-1
ii erlang-odbc 1:20.1.7+dfsg-1
ii erlang-p1-cache-tab 1.0.12-1
ii erlang-p1-iconv 1.0.6-1
ii erlang-p1-stringprep 1.0.10-1
ii erlang-p1-tls 1.0.17-1
ii erlang-p1-utils 1.0.10-1
ii erlang-p1-xml 1.1.25-1
ii erlang-p1-xmpp 1.1.16-1
ii erlang-p1-yaml 1.0.12-1
ii erlang-p1-zlib 1.0.3-1
ii erlang-public-key 1:20.1.7+dfsg-1
ii erlang-ssl 1:20.1.7+dfsg-1
ii erlang-syntax-tools 1:20.1.7+dfsg-1
ii erlang-xmerl 1:20.1.7+dfsg-1
ii init-system-helpers 1.51
ii lsb-base 9.20170808
ii openssl 1.1.0g-2
ii ucf 3.0036
ejabberd recommends no packages.
Versions of packages ejabberd suggests:
ii apparmor 2.11.1-4
ii apparmor-utils 2.11.1-4
pn ejabberd-contrib <none>
pn erlang-luerl <none>
pn erlang-p1-mysql <none>
pn erlang-p1-oauth2 <none>
pn erlang-p1-pam <none>
pn erlang-p1-pgsql <none>
pn erlang-p1-sip <none>
pn erlang-p1-sqlite3 <none>
pn erlang-p1-stun <none>
pn erlang-redis-client <none>
ii imagemagick 8:6.9.7.4+dfsg-16
ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-16
pn libunix-syslog-perl <none>
pn yamllint <none>
-- Configuration Files:
/etc/apparmor.d/usr.sbin.ejabberdctl changed [not included]
/etc/ejabberd/inetrc [Errno 13] Permission denied: '/etc/ejabberd/inetrc'
/etc/ejabberd/modules.d/README.modules [Errno 13] Permission denied:
'/etc/ejabberd/modules.d/README.modules'
-- debconf information excluded
diff --git a/debian/usr.sbin.ejabberdctl b/debian/usr.sbin.ejabberdctl
index 5971b3e..0a53e5f 100644
--- a/debian/usr.sbin.ejabberdctl
+++ b/debian/usr.sbin.ejabberdctl
@@ -7,17 +7,19 @@
capability net_bind_service,
capability dac_override,
+ capability dac_read_search, # for sed
- /bin/bash rmix,
- /bin/dash rmix,
- /bin/date ix,
- /bin/grep ix,
- /bin/ps ix,
- /bin/sed ix,
- /bin/sleep ix,
+ /{,usr/}bin/bash rmix,
+ /{,usr/}bin/cat ix,
+ /{,usr/}bin/dash rmix,
+ /{,usr/}bin/date ix,
+ /{,usr/}bin/grep ix,
+ /{,usr/}bin/ps ix,
+ /{,usr/}bin/sed ix,
+ /{,usr/}bin/sleep ix,
- /bin/su px ->
/usr/sbin/ejabberdctl//su,
+ /{,usr/}bin/su px ->
/usr/sbin/ejabberdctl//su,
profile su {
#include <abstractions/authentication>
#include <abstractions/base>
@@ -32,9 +34,9 @@
@{PROC}/@{pid}/loginuid r,
@{PROC}/1/limits r,
- /bin/bash px ->
/usr/sbin/ejabberdctl,
- /bin/dash px ->
/usr/sbin/ejabberdctl,
- /bin/su rm,
+ /{,usr/}bin/bash px ->
/usr/sbin/ejabberdctl,
+ /{,usr/}bin/dash px ->
/usr/sbin/ejabberdctl,
+ /{,usr/}bin/su rm,
/etc/environment r,
/etc/default/locale r,
