Bug#941118: akonadi-server: fails to start after upgrade to 4:18.08.3-8: apparmor denied access to pg_ctl
Package: akonadi-server
Version: 4:18.08.3-8
Severity: important
Dear Sandro,
I was tempted to raise severity to grave, but then thought that this may
just happen on my system. Severity can still be raised if it happens on
other systems as well. It may refuse to start on all setups using
PostgreSQL backend, see below.
I upgraded and then rebooted the system.
After upgrading to Akonadi 4:18.08.3-8, Akonadi does not start anymore:
% akonadictl start
Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString)
org.kde.pim.akonadicontrol: Application 'akonadiserver' exited normally...
I believe the failure may be due to this:
Sep 25 09:21:06 merkaba kernel: [ 266.556167][ T37] audit: type=1400 audit(1569396066.434:45): apparmor="DENIED" operation="exec" profile="postgresql_akonadi" name="/bin/dash" pid=3833 comm="pg_ctl" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
However when I use:
% aa-disable postgresql_akonadi
Disabling /etc/apparmor.d/postgresql_akonadi.
I can still not start Akonadi – same console output as before, syslog output:
Sep 25 09:27:17 merkaba kernel: [ 637.670793][ T37] audit: type=1400 audit(1569396437.550:46): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="postgresql_akonadi" pid=5247 comm="apparmor_parser"
Sep 25 09:27:26 merkaba kernel: [ 647.098937][ T37] audit: type=1400 audit(1569396446.978:47): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 profile="/usr/bin/akonadiserver" name="/usr/lib/postgresql/11/bin/pg_ctl" pid=5261 comm="akonadiserver" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Also setting to complain mode does not help:
% aa-complain postgresql_akonadi
Setting /etc/apparmor.d/postgresql_akonadi to complain mode.
Although access does get allowed then:
Sep 25 09:30:14 merkaba kernel: [ 814.345508][ T37] audit: type=1400 audit(1569396614.227:51): apparmor="ALLOWED" operation="exec" profile="postgresql_akonadi" name="/bin/dash" pid=5328 comm="pg_ctl" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="postgresql_akonadi//null-/bin/dash"
Best,
Martin
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.2.16-tp520 (SMP w/4 CPU cores; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages akonadi-server depends on:
ii akonadi-backend-postgresql 4:18.08.3-8
ii libc6 2.29-2
ii libgcc1 1:9.2.1-8
ii libkf5akonadiprivate5abi2 [libkf5akonadiprivate5-18.08] 4:18.08.3-8
ii libkf5akonadiwidgets5abi1 [libkf5akonadiwidgets5-18.08] 4:18.08.3-8
ii libkf5configcore5 5.62.0-1
ii libkf5coreaddons5 5.62.0-1
ii libkf5crash5 5.62.0-1
ii libkf5i18n5 5.62.0-1
ii libqt5core5a 5.11.3+dfsg1-4
ii libqt5dbus5 5.11.3+dfsg1-4
ii libqt5gui5 5.11.3+dfsg1-4
ii libqt5network5 5.11.3+dfsg1-4
ii libqt5sql5 5.11.3+dfsg1-4
ii libqt5widgets5 5.11.3+dfsg1-4
ii libqt5xml5 5.11.3+dfsg1-4
ii libstdc++6 9.2.1-8
akonadi-server recommends no packages.
Versions of packages akonadi-server suggests:
pn akonadi-backend-mysql <none>
ii akonadi-backend-postgresql 4:18.08.3-8
pn akonadi-backend-sqlite <none>
-- no debconf information
Reply to: