Package: ejabberd Version: 24.12-3 Severity: important Dear Maintainer,
After upgrading ejabberd on a host with apparmor installed, apparmor
failed to load:
> Jul 30 12:24:02 nyarlathotep apparmor.systemd[179961]: profile has merged
> rule with conflicting x modifiers
> Jul 30 12:24:02 nyarlathotep apparmor.systemd[179961]: ERROR processing
> regexs for profile su, failed to load
> Jul 30 12:24:02 nyarlathotep apparmor.systemd[179860]: Error: At least one
> profile failed to load
> Jul 30 12:24:02 nyarlathotep systemd[1]: apparmor.service: Main process
> exited, code=exited, status=1/FAILURE
> Jul 30 12:24:02 nyarlathotep systemd[1]: apparmor.service: Failed with result
> 'exit-code'.
> Jul 30 12:24:02 nyarlathotep systemd[1]: Failed to start apparmor.service -
> Load AppArmor profiles.
Given the error messages mentions "profile su", the following search
shows ejabberd as being the only relevant package:
>> find /etc/apparmor.d -type f -exec grep -H '\bsu\b' {} \;
> /etc/apparmor.d/usr.sbin.ejabberdctl: profile su
> flags=(attach_disconnected) {
> /etc/apparmor.d/usr.sbin.ejabberdctl: /{,usr/}bin/su
> rm,
> /etc/apparmor.d/usr.sbin.ejabberdctl: /usr/lib/erlang/p1_pam/bin/epam
> px -> /usr/sbin/ejabberdctl//su,
Through trial and error (and a very rudimentary understanding of
apparmor), I butchered /etc/apparmor.d/usr.sbin.ejabberdctl, verified
restarting apparmor was now successful, then restored bits of the file,
repeating the restarts until I could isolate a single line which was
causing apparmor to fail to load:
> /{,usr/}sbin/unix_chkpwd rmix,
After this change, I restarted ejabberd, verifying the server is still
functional.
For the record:
>> dpkg-query -l apparmor\*
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name Version Architecture Description
> +++-=======================-============-============-======================================
> ii apparmor 4.1.0-1 amd64 user-space parser
> utility for AppArmor
> un apparmor-easyprof <none> <none> (no description
> available)
> un apparmor-profiles-extra <none> <none> (no description
> available)
> ii apparmor-utils 4.1.0-1 all utilities for
> controlling AppArmor
-- System Information:
Debian Release: 13.0
APT prefers testing-security
APT policy: (700, 'testing-security'), (700, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.38+deb13-cloud-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ejabberd depends on:
ii adduser 3.152
ii debconf [debconf-2.0] 1.5.91
ii erlang-asn1 1:27.3.4.1+dfsg-1
ii erlang-base [erlang-abi] 1:27.3.4.1+dfsg-1
ii erlang-base64url 1.0.1-8+b1
ii erlang-crypto 1:27.3.4.1+dfsg-1
ii erlang-goldrush 0.2.0-9+b1
ii erlang-idna 6.1.1-5+b1
ii erlang-inets 1:27.3.4.1+dfsg-1
ii erlang-jiffy 1.1.2-1+b1
ii erlang-jose 1.11.10-1+b1
ii erlang-lager 3.9.2-3+b1
ii erlang-mnesia 1:27.3.4.1+dfsg-1
ii erlang-odbc 1:27.3.4.1+dfsg-1
ii erlang-os-mon 1:27.3.4.1+dfsg-1
ii erlang-p1-acme 1.0.25-1
ii erlang-p1-cache-tab 1.0.31-2
ii erlang-p1-eimp 1.0.23-4
ii erlang-p1-mqtree 1.0.17-2
ii erlang-p1-pkix 1.0.10-2
ii erlang-p1-stringprep 1.0.30-2
ii erlang-p1-stun 1.2.15-1
ii erlang-p1-tls 1.1.22-1
ii erlang-p1-utils 1.0.26-2
ii erlang-p1-xml 1.1.55-1
ii erlang-p1-xmpp 1.9.4-1
ii erlang-p1-yaml 1.0.37-2
ii erlang-p1-yconf 1.0.17-1
ii erlang-p1-zlib 1.0.13-2
ii erlang-public-key 1:27.3.4.1+dfsg-1
ii erlang-ssl 1:27.3.4.1+dfsg-1
ii erlang-syntax-tools 1:27.3.4.1+dfsg-1
ii erlang-unicode-util-compat 0.7.0-5+b1
ii erlang-xmerl 1:27.3.4.1+dfsg-1
ii init-system-helpers 1.68
ii openssl 3.5.1-1
ii ucf 3.0052
ejabberd recommends no packages.
Versions of packages ejabberd suggests:
ii ejabberd-contrib 0.2025.01.11~dfsg0-2
ii erlang-luerl 1:1.2.3-1+b1
ii erlang-p1-mysql 1.0.25-1
ii erlang-p1-oauth2 0.6.14-2
ii erlang-p1-pam 1.0.14-3
ii erlang-p1-pgsql 1.1.31-1
ii erlang-p1-sip 1.0.56-1
ii erlang-p1-sqlite3 1.1.15-2
ii erlang-redis-client 1.2.0-8
ii imagemagick 8:7.1.1.43+dfsg1-1
ii imagemagick-7.q16 [imagemagick] 8:7.1.1.43+dfsg1-1
ii libunix-syslog-perl 1.1-4+b4
ii yamllint 1.37.1-1
-- Configuration Files:
/etc/apparmor.d/usr.sbin.ejabberdctl changed:
/usr/sbin/ejabberdctl {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_bind_service,
capability dac_override,
capability dac_read_search, # for sed
/{,usr/}bin/bash rmix,
/{,usr/}bin/cat ix,
/{,usr/}bin/dash rmix,
/{,usr/}bin/date ix,
/{,usr/}bin/df ix,
/{,usr/}bin/{,p}grep ix,
/{,usr/}bin/ps ix,
/{,usr/}bin/sed ix,
/{,usr/}bin/sleep ix,
/{,usr/}bin/su px ->
/usr/sbin/ejabberdctl//su,
profile su flags=(attach_disconnected) {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
deny capability net_admin, # setsockopt() with SO_RCVBUFFORCE
capability audit_write,
capability setgid,
capability setuid,
capability sys_resource,
capability dac_override,
capability dac_read_search,
@{PROC}/@{pid}/loginuid r,
@{PROC}/1/limits r,
/{,usr/}bin/bash px ->
/usr/sbin/ejabberdctl,
/{,usr/}bin/dash px ->
/usr/sbin/ejabberdctl,
/{,usr/}bin/su rm,
#/{,usr/}sbin/unix_chkpwd rmix,
/run/systemd/journal/dev-log w,
/etc/environment r,
/etc/default/locale r,
/etc/security/limits.d** r,
/lib/@{multiarch}/libpam.so* rm,
/usr/lib/erlang/p1_pam/bin/epam rm,
}
/etc/default/ejabberd r,
/etc/ejabberd** r,
/etc/ImageMagick** r,
/run/ejabberd** rw,
/sys/devices/system/cpu** r,
/sys/devices/system/node** r,
/proc/sys/kernel/osrelease r, # for pgrep
/proc/sys/kernel/random/uuid r,
@{PROC}/ r, #
for pgrep
owner @{PROC}/@{pid}/mountinfo r, # for df
owner @{PROC}/@{pid}/mounts r, # for df
/usr/bin/cut ix,
/usr/bin/erl ix,
/usr/bin/expr ix,
/usr/bin/flock ix,
/usr/bin/getent ix,
/usr/bin/id ix,
/usr/bin/inotifywait ix,
/usr/bin/seq ix,
/usr/bin/uuidgen ix,
/usr/lib/erlang/bin/erl ix,
/usr/lib/erlang/erts-*/bin/beam* ix,
/usr/lib/erlang/erts-*/bin/child_setup ix,
/usr/lib/erlang/erts-*/bin/epmd ix,
/usr/lib/erlang/erts-*/bin/erl_child_setup ix,
/usr/lib/erlang/erts-*/bin/erlexec ix,
/usr/lib/erlang/erts-*/bin/inet_gethost ix,
/usr/lib/erlang/lib/**.so rm,
/usr/lib/erlang/lib/os_mon*/priv/bin/memsup ix,
/usr/lib/erlang/lib/p1_eimp*/priv/bin/eimp ix,
/usr/lib/erlang/p1_pam/bin/epam px ->
/usr/sbin/ejabberdctl//su,
/usr/lib/@{multiarch}/ImageMagick-*/** ix,
/usr/sbin/ejabberdctl r,
/usr/share/ejabberd** r,
/usr/share/ImageMagick-*/** rix,
/var/backups/ rw,
/var/backups/ejabberd** rwlk,
/var/lib/ejabberd** rw,
/var/log/ejabberd/* rwlk,
/var/run/ejabberd** rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.ejabberdctl>
}
/etc/default/ejabberd changed:
ERL_OPTIONS="-env ERL_CRASH_DUMP_BYTES 0"
ERLANG_NODE=ejabberd@nyarlathotep
EJABBERD_PID_PATH=/run/ejabberd/ejabberd.pid
EJABBERD_CONFIG_PATH=/etc/ejabberd/ejabberd.yml
CONTRIB_MODULES_CONF_DIR=/etc/ejabberd/modules.d
/etc/ejabberd/inetrc [Errno 13] Permission denied: '/etc/ejabberd/inetrc'
/etc/ejabberd/modules.d/README.modules [Errno 13] Permission denied:
'/etc/ejabberd/modules.d/README.modules'
-- debconf information excluded
--
Gerald Turner <[email protected]> Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
signature.asc
Description: PGP signature
