[pkg-apparmor] Bug#1051157: Apparmor blocks Apache's network trafic

Ervin Hegedüs airween at gmail.com
Sun Sep 3 17:12:07 BST 2023 

Package: apparmor
Version: 3.0.8-3

# dpkg -l "*apparmor*"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                    Version      Architecture         Description
+++-=======================-============-====================-====================================================
ii  apparmor                3.0.8-3      amd64                user-space parser utility for AppArmor
ii  apparmor-profiles       3.0.8-3      all                  experimental profiles for AppArmor security policies
ii  apparmor-utils          3.0.8-3      all                  utilities for controlling AppArmor
ii  libapache2-mod-apparmor 3.0.8-3      amd64                changehat AppArmor library as an Apache module
ii  libapparmor1:amd64      3.0.8-3      amd64                changehat AppArmor library
ii  python3-apparmor        3.0.8-3      all                  AppArmor Python3 utility library
ii  python3-libapparmor     3.0.8-3      amd64                AppArmor library Python3 bindings


I've configured Apparmor: enabled Apache and created a profile
for the virtual host. I've copied the working configuration files
from my previous systems (Debian 10 and Debian 11).

The Apache2 profile (usr.sbin.apache2) is untouched (except I
removed the complain flag, so it's in enforce mode). The profile
contains only the paths what I want to allow for Apache's VHOST.

When I send the HTTP request to Apache, I got this response:

* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server

In this case I see the lines in syslog:

2023-09-03T17:51:48.864732+02:00 server kernel: [ 2028.475849] audit: type=1400 audit(1693756308.859:335): apparmor="DENIED" operation="file_perm" profile="apache2//myvhost.mydomain" pid=1851 comm="apache2" laddr=192.168.0.246 lport=80 faddr=192.168.100.140 fport=58896 family="inet" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
2023-09-03T17:51:48.864735+02:00 server kernel: [ 2028.475859] audit: type=1400 audit(1693756308.859:336): apparmor="DENIED" operation="file_perm" profile="apache2//myvhost.mydomain" pid=1851 comm="apache2" laddr=192.168.0.246 lport=80 faddr=192.168.100.140 fport=58896 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"


# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 12 (bookworm)
Release:	12
Codename:	bookworm

# cat /etc/debian_version 
12.1



Thanks,


a.

More information about the pkg-apparmor-team mailing list