[pkg-apparmor] Bug#1051157: Apparmor blocks Apache's network trafic
Ervin Hegedüs
airween at gmail.com
Sun Sep 3 17:12:07 BST 2023
Package: apparmor
Version: 3.0.8-3
# dpkg -l "*apparmor*"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=======================-============-====================-====================================================
ii apparmor 3.0.8-3 amd64 user-space parser utility for AppArmor
ii apparmor-profiles 3.0.8-3 all experimental profiles for AppArmor security policies
ii apparmor-utils 3.0.8-3 all utilities for controlling AppArmor
ii libapache2-mod-apparmor 3.0.8-3 amd64 changehat AppArmor library as an Apache module
ii libapparmor1:amd64 3.0.8-3 amd64 changehat AppArmor library
ii python3-apparmor 3.0.8-3 all AppArmor Python3 utility library
ii python3-libapparmor 3.0.8-3 amd64 AppArmor library Python3 bindings
I've configured Apparmor: enabled Apache and created a profile
for the virtual host. I've copied the working configuration files
from my previous systems (Debian 10 and Debian 11).
The Apache2 profile (usr.sbin.apache2) is untouched (except I
removed the complain flag, so it's in enforce mode). The profile
contains only the paths what I want to allow for Apache's VHOST.
When I send the HTTP request to Apache, I got this response:
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server
In this case I see the lines in syslog:
2023-09-03T17:51:48.864732+02:00 server kernel: [ 2028.475849] audit: type=1400 audit(1693756308.859:335): apparmor="DENIED" operation="file_perm" profile="apache2//myvhost.mydomain" pid=1851 comm="apache2" laddr=192.168.0.246 lport=80 faddr=192.168.100.140 fport=58896 family="inet" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
2023-09-03T17:51:48.864735+02:00 server kernel: [ 2028.475859] audit: type=1400 audit(1693756308.859:336): apparmor="DENIED" operation="file_perm" profile="apache2//myvhost.mydomain" pid=1851 comm="apache2" laddr=192.168.0.246 lport=80 faddr=192.168.100.140 fport=58896 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
# cat /etc/debian_version
12.1
Thanks,
a.
More information about the pkg-apparmor-team
mailing list