Ubuntu
apparmor package

apparmor sample profile for lighttpd missing entries

Bug #1285653 reported by ks_lp
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Seth Arnold

Bug Description

/usr/share/doc/apparmor-profiles/extras/usr.sbin.lighttpd is missing some directories:

/etc/lighttpd/conf-available/ r,
 /etc/lighttpd/conf-available/*.conf r,
 /var/www/* r,

The two first are to be able to enable modules, the third is where files (e.g. *.html) are served from.

1) lighttpd does not start when a module is enabled.
Example:
/usr/sbin/lighty-enable-mod
enable access logging module "accesslog" and restart lighttpd (or reload config)
syslog shows:
Feb 27 07:11:20 localhost kernel: [685075.349141] type=1400 audit(1393503080.987:133): apparmor="DENIED" operation="open" parent=10213 profile="/usr/sbin/lighttpd" name="/etc/lighttpd/conf-available/10-accesslog.conf" pid=10218 comm="lighttpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=33

2) lighttpd does not have access to web files
Any attempts at connecting to the web server results in syslog:
Feb 27 07:18:03 localhost kernel: [685478.188512] type=1400 audit(1393503483.827:153): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/lighttpd" name="/var/www/index.html" pid=10479 comm="lighttpd" requested_mask="r" denied_mask="r" fsuid=33 ouid=0

Revision history for this message
ks_lp (kian-spongsveen) wrote :

Tested on Ubuntu 13.10

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This needs two patches: one to adjust 0002-add-debian-integration-to-lighttpd.patch and one to adjust abstractions/web-data. Attached is a patch to the former.

Changed in apparmor (Ubuntu):
assignee: nobody → Seth Arnold (seth-arnold)
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

And here is the patch for the latter. This uses /var/www/html instead though, since we'll fix this in 14.04 and that is the standard document root in Debian and its derivatives.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.6 KiB)

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu1

---------------
apparmor (2.8.95~2430-0ubuntu1) trusty; urgency=low

  [ Jamie Strandboge ]

   * debian/debhelper/dh_apparmor: exit with error if aa-easyprof does not
     exist
   * debian/control: drop Depends on apparmor-easyprof to Suggests for
     dh-apparmor

  [ Seth Arnold, Jamie Strandboge, Steve Beattie, John Johansen, Tyler Hicks ]

  * New upstream snapshot (LP: #1278702, #1061693, #1285653) dropping very
    large Ubuntu delta and fixing the following bugs:
    - Adjust fonts abstraction for libthai (LP: #1278702)
    - Support translated XDG user directories (LP: #1061693)
    - Adjust abstractions/web-data to include /var/www/html (LP: #1285653)
      Refresh 0002-add-debian-integration-to-lighttpd.patch to include
      /etc/lighttpd/conf-available/*.conf
    - Adjust debian/libapparmor1.symbols to reflect new upstream versioning
      for the aa_query_label() function
    - Raise exceptions in Python bindings when something fails
  * ship new Python replacements for previous Perl-based tools
    - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and
      add usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof
    - debian/control:
      + remove various Perl dependencies
      + add python-apparmor and python3-apparmor
      + python3-apparmor Breaks: apparmor-easyprof to move the file since it
        ships dist-packages/apparmor/__init__.py now
    - debian/apparmor-utils.manpages: ship new manpages for aa-cleanprof and
      aa-mergeprof
    - debian/rules: build and install Python tools
  * debian/apparmor.install:
    - install apparmorfs, dovecot, kernelvars, securityfs, sys,
      and xdg-user-dirs tunables and xdg-user-dirs.d directory
  * debian/apparmor.dirs:
    - install /etc/apparmor.d/tunables/xdg-user-dirs.d
  * debian/rules: delete upstream-provided xdg-user-dirs.d/site.local
  * debian/apparmor.postinst: create xdg-user-dirs.d/site.local
  * debian/apparmor.postrm: remove xdg-user-dirs.d
  * Remaining patches:
    - add-chromium-browser.patch
    - add-debian-integration-to-lighttpd.patch
    - ubuntu-manpage-updates.patch
    - libapparmor-layout-deb.patch
    - libapparmor-mention-dbus-method-in-getcon-man.patch
    - etc-writable.patch
    - aa-utils_are_bilingual.patch
  * New patches:
    - convert-to-rules.patch
    - list-fns.patch
    - parse-mode.patch
    - add-decimal-interp.patch
    - policy_mediates.patch
    - fix-failpath.patch
    - feature_file.patch
    - fix-network.patch
    - aare-to-class.patch
    - add-mediation-unix.patch
    - parser_version.patch
    - caching.patch
    - label-class.patch
    - fix-lexer-debug.patch
    - use-diff-encode.patch
    - fix-serialize.patch
    - fix-ppc-endian-ftbfs.patch
    - opt_arg.patch
    - tests-cond-dbus.patch
  * Move manpages from libapparmor1 to libapparmor-dev
    - debian/libapparmor-dev.manpages: install aa_change_hat.2,
      aa_change_profile.2, aa_find_mountpoint.2, aa_getcon.2
    - debian/control: libapparmor-dev Replaces: and Breaks: libapparmor1
  * Move /usr/lib/python3/dist-packages/apparmor/__init__.py from
    apparmor-eas...

Read more...

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.