Bug#911485: fwknop-apparmor-profile: Missing permissions in the AppArmor profile
Package: fwknop-apparmor-profile
Version: 2.6.9-1
Severity: important
The AppArmor profile that comes with fwknop-server is not complete.
These are the errors I have when running in complain mode:
-----------------------------------------------------
audit[29328]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/fwknopd" name="/var/fwknop/fwknopd.pid" comm="fwknopd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[29329]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/fwknopd" name="/var/fwknop/digest.cache" comm="fwknopd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit[29412]: AVC apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/fwknopd" name="/run/xtables.lock" comm="iptables" requested_mask="wk" denied_mask="wk" fsuid=0 ouid=0
fwknop-server[29322]: Error trying to open PID file: : Permission denied
fwknop-server[31175]: Error trying to open PID file: : Permission denied
-----------------------------------------------------
This is solved by adding the following lines to the profile:
-----------------------------------------------------
/run/xtables.lock wk,
/var/fwknop/fwknopd.pid r,
/var/fwknop/fwknopd.pid wkl,
/var/fwknop/digest.cache r,
/var/fwknop/digest.cache wkl,
-----------------------------------------------------
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fwknop-apparmor-profile depends on:
pn fwknop-server <none>
fwknop-apparmor-profile recommends no packages.
fwknop-apparmor-profile suggests no packages.
Reply to: