Default apache prefork profile doesn't allow chown
Bug #1210514 reported by
Nick Moffitt
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
Triaged
|
Low
|
Tyler Hicks | ||
| apparmor (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
About every other day, I would see this in my kern.log:
kernel: [11118879.416945] type=1502 audit(137594337
It would seem that the master process is trying to chown something for the benefit of one of the worker processes (who have dropped privilege), and this is part of the ordinary function of Apache.
When I spoke to jdstrand, he seemed to agree with my workaround of dropping a "capability chown," into a file in /etc/apparmor.
Still, it seems like a useful thing to have in the default as shipped.
Related branches
| Changed in apparmor (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → Low |
| tags: | added: policy |
| tags: |
added: aa-policy removed: policy |
| Changed in apparmor: | |
| importance: | Undecided → Low |
| status: | New → Triaged |
| Changed in apparmor: | |
| assignee: | nobody → Tyler Hicks (tyhicks) |
| Changed in apparmor: | |
| milestone: | none → 2.11 |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #1 |
Download full text (4.4 KiB)
| Changed in apparmor (Ubuntu): | |
| status: | Triaged → Fix Released |
To post a comment you must log in.
This bug was fixed in the package apparmor - 2.10.95-0ubuntu1
---------------
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium
* Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
- Allow Apache prefork profile to chown(2) files (LP: #1210514)
- Allow deluge-gtk and deluge-console to handle torrents opened in
browsers (LP: #1501913)
- Allow file accesses needed by some programs using libnl-3-200
(Closes: #810888)
- Allow file accesses needed on systems that use NetworkManager without
resolvconf (Closes: #813835)
- Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
- Fix aa-logprof(8) crash when operating on files containing multiple
profiles with certain rules (LP: #1528139)
- Fix log parsing crashes, in the Python utilities, caused by certain file
related events (LP: #1525119, LP: #1540562)
- Fix log parsing crasher, in the Python utilities, caused by certain
change_hat events (LP: #1523297)
- Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
when Python 3 is not available (LP: #1513880)
- Send aa-easyprof(8) error messages to stderr instead of stdout
(LP: #1521400)
- Fix aa-autodep(8) failure when the shebang line of a script contained
parameters (LP: #1505775)
- Don't depend on the system logprof.conf when running utils/ build tests
(LP: #1393979)
- Fix apparmor_parser(8) bugs when parsing profiles that use policy
namespaces in the profile declaration or profile transition targets
(LP: #1540666, LP: #1544387)
- Regression fix for apparmor_parser(8) bug that resulted in the
-
be loaded into the root policy namespace (LP: #1526085)
- Fix crasher regression in apparmor_parser(8) when the parser was asked
to process a directory (LP: #1534405)
- Fix bug in apparmor_parser(8) to honor the specified bind flags remount
rules (LP: #1272028)
- Support tarball generation for Coverity scans and fix a number of issues
discovered by Coverity
- Fix regression test failures on s390x systems (LP: #1531325)
- Adjust expected errno values in changeprofile regression test
(LP: #1559705)
- The Python utils gained support for ptrace and signal rules
- aa-exec(8) received a rewrite in C
- apparmor_parser(8) gained support for stacking multiple profiles, as
supported by the Xenial kernel (LP: #1379535)
- libapparmor gained new public interfaces, aa_stack_profile(2) and
aa_
stacking support (LP: #1379535)
* Drop the following patches since they've been incorporated upstream:
- aa-status-
- r3209-dnsmasq-
- r3227-locale-
- r3277-update-
- r3366-networkd.
- tests-fix_
- parser-
- parser-
- parser-
- pa...