Bug#868563: apparmor-profiles: Apparmor profiles for postfix programs have incorrect path

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#868563: apparmor-profiles: Apparmor profiles for postfix programs have incorrect path

debian-bugs-8
Package: apparmor-profiles
Version: 2.11.0-3
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

After upgrading from jessie to stretch I noticed that postfix was no longer constrained by apparmor profiles (using aa-unconfined, ps auxZ etc).

The cause of this issue seems to be that the profiles in this package use paths like /usr/lib/postfix/master but this has moved to /usr/lib/postfix/sbin/master.
This applies to all /usr/lib/postfix/* profiles. Thus the profiles do not properly apply to the correct process. The profiles will need to be updated to point
to the right executables.

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (900, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor-profiles depends on:
ii  apparmor  2.11.0-3

apparmor-profiles recommends no packages.

apparmor-profiles suggests no packages.

-- Configuration Files:

-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#868563: apparmor-profiles: Apparmor profiles for postfix programs have incorrect path

intrigeri-4
Control: severity -1 minor
Control: tag -1 + upstream
Control: found -1 2.11.0-6

Hi,

[hidden email]:
> After upgrading from jessie to stretch I noticed that postfix was no
> longer constrained by apparmor profiles (using aa-unconfined, ps
> auxZ etc).

> The cause of this issue seems to be that the profiles in this
> package use paths like /usr/lib/postfix/master but this has moved to
> /usr/lib/postfix/sbin/master. This applies to all /usr/lib/postfix/*
> profiles. Thus the profiles do not properly apply to the correct
> process. The profiles will need to be updated to point to the
> right executables.

Good catch, thanks.

Now, as /usr/share/doc/apparmor-profiles/extras/README says, these
profiles are not supported:

  Feedback on these unsupported profiles is welcomed; any
  contributions for this directory should be clearly licensed
  -- we recommend using the GPL. Please mail suggestions or
  modifications to the [hidden email] mail list:
  https://lists.ubuntu.com/mailman/listinfo/apparmor

So downgrading severity accordingly.

Cheers,
--
intrigeri

Reply | Threaded
Open this post in threaded view
|

Bug#868563: apparmor-profiles: Apparmor profiles for postfix programs have incorrect path

intrigeri-4
Hi,

the preferred way to fix this nowadays is to fork
https://gitlab.com/apparmor/apparmor, edit files in
profiles/apparmor/profiles/extras, commit, push a branch and follow
the instructions that `git push' will provide to submit
a merge request.

I guess that replacing all relevant occurrences of:

  /usr/lib/postfix

with:

  /usr/lib/postfix{,/sbin}

… should to the trick :)

Cheers,
--
intrigeri

Reply | Threaded
Open this post in threaded view
|

Bug#868563: apparmor-profiles: Apparmor profiles for postfix programs have incorrect path

Julian Andres Klode-4
On Mon, Jan 29, 2018 at 12:03:02PM +0100, intrigeri wrote:

> Hi,
>
> the preferred way to fix this nowadays is to fork
> https://gitlab.com/apparmor/apparmor, edit files in
> profiles/apparmor/profiles/extras, commit, push a branch and follow
> the instructions that `git push' will provide to submit
> a merge request.
>
> I guess that replacing all relevant occurrences of:
>
>   /usr/lib/postfix
>
> with:
>
>   /usr/lib/postfix{,/sbin}
>
> … should to the trick :)

It needs some more changes, I'll try to get them fixed up
this weekend, so I can roll out my server in enforced mode.
It will be based on Ubuntu 18.04, though, so might need double
checking.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply | Threaded
Open this post in threaded view
|

Bug#868563: apparmor-profiles: Apparmor profiles for postfix programs have incorrect path

intrigeri-4
Julian Andres Klode:
> It needs some more changes, I'll try to get them fixed up
> this weekend, so I can roll out my server in enforced mode.
> It will be based on Ubuntu 18.04, though, so might need double
> checking.

Great!

Reply | Threaded
Open this post in threaded view
|

Bug#868563: apparmor-profiles: Apparmor profiles for postfix programs have incorrect path

intrigeri-4
In reply to this post by Julian Andres Klode-4
Hi,

Julian Andres Klode:
> It needs some more changes, I'll try to get them fixed up
> this weekend, so I can roll out my server in enforced mode.

Did your https://gitlab.com/apparmor/apparmor/merge_requests/284 fix
all the incorrect paths this bug was about?

(I'd like to update this bug's metadata accordingly :)

Cheers,
--
intrigeri

Reply | Threaded
Open this post in threaded view
|

Bug#868563: apparmor-profiles: Apparmor profiles for postfix programs have incorrect path

intrigeri-4
Control: tag -1 + fixed-upstream

intrigeri (2018-12-16):
> Julian Andres Klode:
>> It needs some more changes, I'll try to get them fixed up
>> this weekend, so I can roll out my server in enforced mode.
>
> Did your https://gitlab.com/apparmor/apparmor/merge_requests/284 fix
> all the incorrect paths this bug was about?
>
> (I'd like to update this bug's metadata accordingly :)

I'll optimistically assume this is indeed fixed in the upstream master
branch, and will be part of the AppArmor 3.0 release.

If that's incorrect, please let me know :)