Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#955479: apparmor fixes for xline_db and geoip
20 views
Skip to first unread message
Marc Dequènes
Apr 1, 2020, 6:10:03 AM4/1/20
to
Package: inspircd
Version: 2.0.27-1
Severity: normal
Quack,
If you use the xline_db module and try to list or add lines you end-up
with the following error:
Wed Apr 1 11:01:50 2020: ANNOUNCEMENT: database: cannot create new db:
Permission denied (13)
Indeed inspircd is not allowed to create a new database (which is then
renamed to the previous file, see src/modules/m_xline_db.cpp):
type=AVC msg=audit(1585731820.176:604602): apparmor="DENIED"
operation="mknod" profile="/usr/sbin/inspircd"
name="/etc/inspircd/xline.db.new" pid=28308 comm="inspircd"
requested_mask="c" denied_mask="c" fsuid=39 ouid=39
I guess it would be even better to create such files in
/var/lib/inspircd but the package does not provide it. I nevertheless
did the change myself and added this line to the apparmor policy:
/var/lib/inspircd/* rw,
Similar problem when trying to use the geoip module:
Apr 01 11:28:40 Jinta inspircd[7048]: Error Opening file
/usr/share/GeoIP/GeoIP.dat
Apr 01 11:28:40 Jinta inspircd[7048]: [*] Unable to initialize
m_geoip.so: Unable to initialize geoip, are you missing GeoIP.dat?
and:
type=AVC msg=audit(1585733319.998:605041): apparmor="DENIED"
operation="open" profile="/usr/sbin/inspircd"
name="/usr/share/GeoIP/GeoIP.dat" pid=7048 comm="inspircd"
requested_mask="r" denied_mask="r" fsuid=39 ouid=0
I added this line to the apparmor policy:
/usr/share/GeoIP/GeoIP.dat r,
Btw the package could also Suggest geoip-database needed for this
module.
Regards.
\_o<
--
Marc Dequènes
Version: 2.0.27-1
Severity: normal
Quack,
If you use the xline_db module and try to list or add lines you end-up
with the following error:
Wed Apr 1 11:01:50 2020: ANNOUNCEMENT: database: cannot create new db:
Permission denied (13)
Indeed inspircd is not allowed to create a new database (which is then
renamed to the previous file, see src/modules/m_xline_db.cpp):
type=AVC msg=audit(1585731820.176:604602): apparmor="DENIED"
operation="mknod" profile="/usr/sbin/inspircd"
name="/etc/inspircd/xline.db.new" pid=28308 comm="inspircd"
requested_mask="c" denied_mask="c" fsuid=39 ouid=39
I guess it would be even better to create such files in
/var/lib/inspircd but the package does not provide it. I nevertheless
did the change myself and added this line to the apparmor policy:
/var/lib/inspircd/* rw,
Similar problem when trying to use the geoip module:
Apr 01 11:28:40 Jinta inspircd[7048]: Error Opening file
/usr/share/GeoIP/GeoIP.dat
Apr 01 11:28:40 Jinta inspircd[7048]: [*] Unable to initialize
m_geoip.so: Unable to initialize geoip, are you missing GeoIP.dat?
and:
type=AVC msg=audit(1585733319.998:605041): apparmor="DENIED"
operation="open" profile="/usr/sbin/inspircd"
name="/usr/share/GeoIP/GeoIP.dat" pid=7048 comm="inspircd"
requested_mask="r" denied_mask="r" fsuid=39 ouid=0
I added this line to the apparmor policy:
/usr/share/GeoIP/GeoIP.dat r,
Btw the package could also Suggest geoip-database needed for this
module.
Regards.
\_o<
--
Marc Dequènes
Filippo Giunchedi
Jan 16, 2021, 12:40:03 PM1/16/21
to
On Wed, Apr 01, 2020 at 07:03 PM, Marc Dequčnes wrote:
> I added this line to the apparmor policy:
> /usr/share/GeoIP/GeoIP.dat r,
>
> Btw the package could also Suggest geoip-database needed for this module.
Thank you for the report, I'm not an apparmor expert but I'm happy to
> I added this line to the apparmor policy:
> /usr/share/GeoIP/GeoIP.dat r,
>
> Btw the package could also Suggest geoip-database needed for this module.
include support in the package (at
https://salsa.debian.org/debian/inspircd)
Suggesting 'geoip-database' is a good idea, I'll add that!
Marc Dequènes
Jan 21, 2021, 3:40:05 PM1/21/21
to
Quack,
On 2021-01-17 02:20, Filippo Giunchedi wrote:
the release is close.
v3 now uses the GeoLite2 DB and that's not available without
registration IIUC. But for people OK to register there is the
geoipupdate package that can use a token to download it.
I have no idea where it stores the files but it should not be difficult
to get this information. Then you can simply update the path in the
apparmor profile.
Another suggestion: to allow admins to add little fixes or adaptations
to the apparmor policy I saw that several packages include a file in
/etc/apparmor.d/local/ (chronyd for eg), which is ignored if the file is
missing, very practical. For Inspircd that would give (at the end of the
rules but inside the braquets):
#include <local/usr.sbin.inspircd>
Hope that helps.
\_o<
--
Marc Dequènes
On 2021-01-17 02:20, Filippo Giunchedi wrote:
> On Wed, Apr 01, 2020 at 07:03 PM, Marc Dequènes wrote:
>> I added this line to the apparmor policy:
>> /usr/share/GeoIP/GeoIP.dat r,
>>
>> Btw the package could also Suggest geoip-database needed for this
>> module.
>
> Thank you for the report, I'm not an apparmor expert but I'm happy to
> include support in the package (at
> https://salsa.debian.org/debian/inspircd)
>
> Suggesting 'geoip-database' is a good idea, I'll add that!
So that works for Inspircd v2. Not sure that's of much value now since
>> I added this line to the apparmor policy:
>> /usr/share/GeoIP/GeoIP.dat r,
>>
>> Btw the package could also Suggest geoip-database needed for this
>> module.
>
> Thank you for the report, I'm not an apparmor expert but I'm happy to
> include support in the package (at
> https://salsa.debian.org/debian/inspircd)
>
> Suggesting 'geoip-database' is a good idea, I'll add that!
the release is close.
v3 now uses the GeoLite2 DB and that's not available without
registration IIUC. But for people OK to register there is the
geoipupdate package that can use a token to download it.
I have no idea where it stores the files but it should not be difficult
to get this information. Then you can simply update the path in the
apparmor profile.
Another suggestion: to allow admins to add little fixes or adaptations
to the apparmor policy I saw that several packages include a file in
/etc/apparmor.d/local/ (chronyd for eg), which is ignored if the file is
missing, very practical. For Inspircd that would give (at the end of the
rules but inside the braquets):
#include <local/usr.sbin.inspircd>
Hope that helps.
\_o<
--
Marc Dequènes
Sadie Powell
Mar 7, 2022, 11:30:03 AM3/7/22
to
It seems like Debian are not shipping the AppArmor file that the InspIRCd build system generates and instead are shipping an incomplete custom one.
This problem can be fixed by using the AppArmor file that InspIRCd generates and installs to the script directory (named "apparmor").
This problem can be fixed by using the AppArmor file that InspIRCd generates and installs to the script directory (named "apparmor").
Björn Lässig
Nov 3, 2022, 2:10:03 PM11/3/22
to
Hi There
On Fri, 2021-01-22 at 05:20 +0900, Marc Dequènes (duck) wrote:
> Quack,
>
> On 2021-01-17 02:20, Filippo Giunchedi wrote:
> > On Wed, Apr 01, 2020 at 07:03 PM, Marc Dequènes wrote:
> > > I added this line to the apparmor policy:
> > > /usr/share/GeoIP/GeoIP.dat r,
> > >
> > > Btw the package could also Suggest geoip-database needed for this
> > > module.
> >
> > Thank you for the report, I'm not an apparmor expert but I'm happy to
> > include support in the package (at
> > https://salsa.debian.org/debian/inspircd)
> >
> > Suggesting 'geoip-database' is a good idea, I'll add that!
>
> […]
It would really really help us, if at least the
#include <local/usr.sbin.inspircd>
would make it to the next debian release.
greeting and thanks
Björn Lässig
On Fri, 2021-01-22 at 05:20 +0900, Marc Dequènes (duck) wrote:
> Quack,
>
> On 2021-01-17 02:20, Filippo Giunchedi wrote:
> > On Wed, Apr 01, 2020 at 07:03 PM, Marc Dequènes wrote:
> > > I added this line to the apparmor policy:
> > > /usr/share/GeoIP/GeoIP.dat r,
> > >
> > > Btw the package could also Suggest geoip-database needed for this
> > > module.
> >
> > Thank you for the report, I'm not an apparmor expert but I'm happy to
> > include support in the package (at
> > https://salsa.debian.org/debian/inspircd)
> >
> > Suggesting 'geoip-database' is a good idea, I'll add that!
>
>
> Another suggestion: to allow admins to add little fixes or adaptations
> to the apparmor policy I saw that several packages include a file in
> /etc/apparmor.d/local/ (chronyd for eg), which is ignored if the file is
> missing, very practical. For Inspircd that would give (at the end of the
> rules but inside the braquets):
> #include <local/usr.sbin.inspircd>
This Bug hit me too for using the permchannel module.
> Another suggestion: to allow admins to add little fixes or adaptations
> to the apparmor policy I saw that several packages include a file in
> /etc/apparmor.d/local/ (chronyd for eg), which is ignored if the file is
> missing, very practical. For Inspircd that would give (at the end of the
> rules but inside the braquets):
> #include <local/usr.sbin.inspircd>
It would really really help us, if at least the
#include <local/usr.sbin.inspircd>
would make it to the next debian release.
greeting and thanks
Björn Lässig
0 new messages