Bug#888584: AppArmor: denied execution of eimp, memsup and more

Vincas Dargis Sat, 27 Jan 2018 05:00:39 -0800

Package: ejabberd
Version: 18.01-1
Severity: normal
User: pkg-apparmor-t...@lists.alioth.debian.org
Usertags: buggy-profile


Dear Maintainer,

After some update a flow of DENIED messages appears when ejabberd is starting, 
with AppArmor profile enforced:

```
type=AVC msg=audit(1517057211.177:163): apparmor="DENIED" operation="exec" 
profile="/usr/sbin/ejabberdctl" 
name="/usr/lib/erlang/lib/p1_eimp-1.0.2/priv/bin/eimp" pid=2345 comm="sh" 
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1517057211.177:164): apparmor="DENIED" operation="exec" 
profile="/usr/sbin/ejabberdctl" 
name="/usr/lib/erlang/lib/p1_eimp-1.0.2/priv/bin/eimp" pid=2344 comm="sh" 
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1517057211.189:165): apparmor="DENIED" operation="exec" 
profile="/usr/sbin/ejabberdctl" 
name="/usr/lib/erlang/lib/p1_eimp-1.0.2/priv/bin/eimp" pid=2373 comm="sh" 
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
...
type=AVC msg=audit(1517057212.169:173): apparmor="DENIED" operation="exec" 
profile="/usr/sbin/ejabberdctl" name="/usr/bin/df" pid=2391 comm="sh" 
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1517057212.173:174): apparmor="DENIED" operation="exec" 
profile="/usr/sbin/ejabberdctl" 
name="/usr/lib/erlang/lib/os_mon-2.4.4/priv/bin/memsup" pid=2392 comm="sh" 
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1517057212.181:175): apparmor="DENIED" operation="exec" 
profile="/usr/sbin/ejabberdctl" 
name="/usr/lib/erlang/lib/os_mon-2.4.4/priv/bin/memsup" pid=2393 comm="sh" 
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
...
type=AVC msg=audit(1517057212.353:183): apparmor="DENIED" operation="exec" 
profile="/usr/sbin/ejabberdctl" name="/usr/bin/inotifywait" pid=2402 comm="sh" 
requested_mask="x" denied_mask="x" fsuid=123 ouid=0
type=AVC msg=audit(1517057212.353:184): apparmor="DENIED" operation="exec" 
profile="/usr/sbin/ejabberdctl" name="/usr/bin/inotifywait" pid=2402 comm="sh"
```

I'll start working for the patch.


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ejabberd depends on:
ii  adduser                        3.116
ii  debconf [debconf-2.0]          1.5.65
ii  erlang-asn1                    1:20.2.2+dfsg-1
ii  erlang-base [erlang-abi-17.0]  1:20.2.2+dfsg-1
ii  erlang-crypto                  1:20.2.2+dfsg-1
ii  erlang-fs-listener             2.12.0-4
ii  erlang-inets                   1:20.2.2+dfsg-1
ii  erlang-jiffy                   0.14.11+dfsg-2
ii  erlang-jose                    1.8.4-2
ii  erlang-lager                   3.5.2-2
ii  erlang-mnesia                  1:20.2.2+dfsg-1
ii  erlang-odbc                    1:20.2.2+dfsg-1
ii  erlang-os-mon                  1:20.2.2+dfsg-1
ii  erlang-p1-cache-tab            1.0.12-2
ii  erlang-p1-eimp                 1.0.2-2
ii  erlang-p1-iconv                1.0.6-2
ii  erlang-p1-stringprep           1.0.10-2
ii  erlang-p1-tls                  1.0.20-1
ii  erlang-p1-utils                1.0.10-2
ii  erlang-p1-xml                  1.1.28-1
ii  erlang-p1-xmpp                 1.1.19-1
ii  erlang-p1-yaml                 1.0.12-2
ii  erlang-p1-zlib                 1.0.3-2
ii  erlang-public-key              1:20.2.2+dfsg-1
ii  erlang-ssl                     1:20.2.2+dfsg-1
ii  erlang-syntax-tools            1:20.2.2+dfsg-1
ii  erlang-xmerl                   1:20.2.2+dfsg-1
ii  lsb-base                       9.20170808
ii  openssl                        1.1.0g-2
ii  ucf                            3.0036

ejabberd recommends no packages.

Versions of packages ejabberd suggests:
ii  apparmor                         2.12-2
ii  apparmor-utils                   2.12-2
pn  ejabberd-contrib                 <none>
pn  erlang-luerl                     <none>
pn  erlang-p1-mysql                  <none>
pn  erlang-p1-oauth2                 <none>
pn  erlang-p1-pam                    <none>
pn  erlang-p1-pgsql                  <none>
pn  erlang-p1-sip                    <none>
pn  erlang-p1-sqlite3                <none>
pn  erlang-p1-stun                   <none>
pn  erlang-redis-client              <none>
ii  imagemagick                      8:6.9.7.4+dfsg-16
ii  imagemagick-6.q16 [imagemagick]  8:6.9.7.4+dfsg-16
pn  libunix-syslog-perl              <none>
pn  yamllint                         <none>

-- Configuration Files:
/etc/apparmor.d/usr.sbin.ejabberdctl changed [not included]
/etc/ejabberd/inetrc [Errno 13] Permission denied: '/etc/ejabberd/inetrc'
/etc/ejabberd/modules.d/README.modules [Errno 13] Permission denied: 
'/etc/ejabberd/modules.d/README.modules'

-- debconf information excluded

Bug#888584: AppArmor: denied execution of eimp, memsup and more

Reply via email to