Package: ejabberd Version: 17.08-3 Severity: normal Tags: patch Dear Maintainer,
I have discovered number of DENIED messages produced by AppArmor, due to the fact that I have `usrmerge` package installed, and some additional rules missing: ``` type=AVC msg=audit(1512580362.337:361): apparmor="DENIED" operation="exec" profile="/usr/sbin/ejabberdctl" name="/usr/bin/date" pid=4369 comm="ejabberdctl" requested_mask="x" denied_mask="x" fsuid=123 ouid=0 type=AVC msg=audit(1512580362.337:363): apparmor="DENIED" operation="exec" profile="/usr/sbin/ejabberdctl" name="/usr/bin/sed" pid=4370 comm="ejabberdctl" requested_mask="x" denied_mask="x" fsuid=123 ouid=0 type=AVC msg=audit(1512580362.341:371): apparmor="DENIED" operation="exec" profile="/usr/sbin/ejabberdctl" name="/usr/bin/cat" pid=4376 comm="ejabberdctl" requested_mask="x" denied_mask="x" fsuid=123 ouid=0 type=AVC msg=audit(1512580362.345:377): apparmor="DENIED" operation="exec" profile="/usr/sbin/ejabberdctl" name="/usr/bin/dash" pid=4384 comm="erlexec" requested_mask="x" denied_mask="x" fsuid=123 ouid=0 type=AVC msg=audit(1512580371.446:390): apparmor="DENIED" operation="exec" profile="/usr/sbin/ejabberdctl" name="/usr/bin/sleep" pid=4433 comm="ejabberdctl" requested_mask="x" denied_mask="x" fsuid=123 ouid=0 type=AVC msg=audit(1512580380.670:414): apparmor="DENIED" operation="exec" profile="/usr/sbin/ejabberdctl" name="/usr/bin/grep" pid=4502 comm="ejabberdctl" requested_mask="x" denied_mask="x" fsuid=123 ouid=0 type=AVC msg=audit(1512828616.371:196): apparmor="DENIED" operation="capable" profile="/usr/sbin/ejabberdctl" pid=3595 comm="sed" capability=2 capname="dac_read_search" type=SYSCALL msg=audit(1512828616.371:196): arch=c000003e syscall=2 success=yes exit=3 a0=7ffcb9d94850 a1=0 a2=1b6 a3=0 items=0 ppid=3592 pid=3595 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="sed" exe="/usr/bin/sed" key=(null) type=PROCTITLE msg=audit(1512828616.371:196): proctitle=36564002F5E6C6F675F726F746174655F636F756E742F21643B732F3A5B205C745D2A5C285B302D395D2A5C292E2A2F205C312F3B732F5E2F202F002F6574632F656A6162626572642F656A6162626572642E796D6C (here proctitle= sed\x00/^log_rotate_count/!d;s/:[ \\t]*\\([0-9]*\\).*/ \\1/;s/^/ /\x00/etc/ejabberd/ejabberd.yml) ``` Patch isattached to fix these issues. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.14.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages ejabberd depends on: ii adduser 3.116 ii debconf [debconf-2.0] 1.5.65 ii erlang-asn1 1:20.1.7+dfsg-1 ii erlang-base [erlang-abi-17.0] 1:20.1.7+dfsg-1 ii erlang-crypto 1:20.1.7+dfsg-1 ii erlang-inets 1:20.1.7+dfsg-1 ii erlang-jiffy 0.14.11+dfsg-2 ii erlang-lager 3.5.2-1 ii erlang-mnesia 1:20.1.7+dfsg-1 ii erlang-odbc 1:20.1.7+dfsg-1 ii erlang-p1-cache-tab 1.0.12-1 ii erlang-p1-iconv 1.0.6-1 ii erlang-p1-stringprep 1.0.10-1 ii erlang-p1-tls 1.0.17-1 ii erlang-p1-utils 1.0.10-1 ii erlang-p1-xml 1.1.25-1 ii erlang-p1-xmpp 1.1.16-1 ii erlang-p1-yaml 1.0.12-1 ii erlang-p1-zlib 1.0.3-1 ii erlang-public-key 1:20.1.7+dfsg-1 ii erlang-ssl 1:20.1.7+dfsg-1 ii erlang-syntax-tools 1:20.1.7+dfsg-1 ii erlang-xmerl 1:20.1.7+dfsg-1 ii init-system-helpers 1.51 ii lsb-base 9.20170808 ii openssl 1.1.0g-2 ii ucf 3.0036 ejabberd recommends no packages. Versions of packages ejabberd suggests: ii apparmor 2.11.1-4 ii apparmor-utils 2.11.1-4 pn ejabberd-contrib <none> pn erlang-luerl <none> pn erlang-p1-mysql <none> pn erlang-p1-oauth2 <none> pn erlang-p1-pam <none> pn erlang-p1-pgsql <none> pn erlang-p1-sip <none> pn erlang-p1-sqlite3 <none> pn erlang-p1-stun <none> pn erlang-redis-client <none> ii imagemagick 8:6.9.7.4+dfsg-16 ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-16 pn libunix-syslog-perl <none> pn yamllint <none> -- Configuration Files: /etc/apparmor.d/usr.sbin.ejabberdctl changed [not included] /etc/ejabberd/inetrc [Errno 13] Permission denied: '/etc/ejabberd/inetrc' /etc/ejabberd/modules.d/README.modules [Errno 13] Permission denied: '/etc/ejabberd/modules.d/README.modules' -- debconf information excluded
diff --git a/debian/usr.sbin.ejabberdctl b/debian/usr.sbin.ejabberdctl index 5971b3e..0a53e5f 100644 --- a/debian/usr.sbin.ejabberdctl +++ b/debian/usr.sbin.ejabberdctl @@ -7,17 +7,19 @@ capability net_bind_service, capability dac_override, + capability dac_read_search, # for sed - /bin/bash rmix, - /bin/dash rmix, - /bin/date ix, - /bin/grep ix, - /bin/ps ix, - /bin/sed ix, - /bin/sleep ix, + /{,usr/}bin/bash rmix, + /{,usr/}bin/cat ix, + /{,usr/}bin/dash rmix, + /{,usr/}bin/date ix, + /{,usr/}bin/grep ix, + /{,usr/}bin/ps ix, + /{,usr/}bin/sed ix, + /{,usr/}bin/sleep ix, - /bin/su px -> /usr/sbin/ejabberdctl//su, + /{,usr/}bin/su px -> /usr/sbin/ejabberdctl//su, profile su { #include <abstractions/authentication> #include <abstractions/base> @@ -32,9 +34,9 @@ @{PROC}/@{pid}/loginuid r, @{PROC}/1/limits r, - /bin/bash px -> /usr/sbin/ejabberdctl, - /bin/dash px -> /usr/sbin/ejabberdctl, - /bin/su rm, + /{,usr/}bin/bash px -> /usr/sbin/ejabberdctl, + /{,usr/}bin/dash px -> /usr/sbin/ejabberdctl, + /{,usr/}bin/su rm, /etc/environment r, /etc/default/locale r,