Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#932501: squid-deb-proxy: daemon does not start due to the conf file not being allowed by apparmor
74 views
Skip to first unread message
jfp
Jul 20, 2019, 1:00:02 AM7/20/19
to
Source: squid-deb-proxy
Severity: important
Tags: patch
Dear Maintainer,
squid-deb-proxy fails to start due due to the conf file not being allowed by
apparmor:
Jul 20 16:28:48 Tardis squid: FATAL: Unable to open configuration file:
/etc/squid-deb-proxy/squid-deb-proxy.conf: (13) Permission denied
Jul 20 16:28:48 Tardis squid-deb-proxy[10170]: failed!
Jul 20 16:35:30 Tardis squid-deb-proxy[10276]: Stopping Squid Deb HTTP Proxy:
squid-deb-proxy.
Jul 20 16:35:30 Tardis systemd[1]: squid-deb-proxy.service: Succeeded.
Jul 20 16:35:30 Tardis kernel: [4157921.317296] audit: type=1400
audit(1563597330.601:32): apparmor="DENIED" operation="open"
profile="/usr/sbin/squid" name="/etc/squid-deb-proxy/squid-deb-proxy.conf"
pid=10301 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 20 16:35:30 Tardis squid-deb-proxy[10284]: Starting Squid Deb HTTP Proxy:
squid-deb-proxy2019/07/20 16:35:30| FATAL: Unable to open configuration file:
/etc/squid-deb-proxy/squid-deb-proxy.conf: (13) Permission denied
The fix is to add
/etc/squid-deb-proxy/** r,
to
/etc/apparmor.d/usr.sbin.squid
Then
apparmor_parser -r /etc/apparmor.d/usr.sbin.squid
systemctl restart squid-deb-proxy
#And test
dig +nocmd +noall +answer @224.0.0.251 -p 5353 -t ptr _apt_proxy._tcp.local
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Severity: important
Tags: patch
Dear Maintainer,
squid-deb-proxy fails to start due due to the conf file not being allowed by
apparmor:
Jul 20 16:28:48 Tardis squid: FATAL: Unable to open configuration file:
/etc/squid-deb-proxy/squid-deb-proxy.conf: (13) Permission denied
Jul 20 16:28:48 Tardis squid-deb-proxy[10170]: failed!
Jul 20 16:35:30 Tardis squid-deb-proxy[10276]: Stopping Squid Deb HTTP Proxy:
squid-deb-proxy.
Jul 20 16:35:30 Tardis systemd[1]: squid-deb-proxy.service: Succeeded.
Jul 20 16:35:30 Tardis kernel: [4157921.317296] audit: type=1400
audit(1563597330.601:32): apparmor="DENIED" operation="open"
profile="/usr/sbin/squid" name="/etc/squid-deb-proxy/squid-deb-proxy.conf"
pid=10301 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 20 16:35:30 Tardis squid-deb-proxy[10284]: Starting Squid Deb HTTP Proxy:
squid-deb-proxy2019/07/20 16:35:30| FATAL: Unable to open configuration file:
/etc/squid-deb-proxy/squid-deb-proxy.conf: (13) Permission denied
The fix is to add
/etc/squid-deb-proxy/** r,
to
/etc/apparmor.d/usr.sbin.squid
Then
apparmor_parser -r /etc/apparmor.d/usr.sbin.squid
systemctl restart squid-deb-proxy
#And test
dig +nocmd +noall +answer @224.0.0.251 -p 5353 -t ptr _apt_proxy._tcp.local
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Jean-Francois Pirus
Jul 20, 2019, 7:40:02 PM7/20/19
to
Sorry, I ran the reportbug on my workstation running sid, where it works but has warning.
See below:
The issue is in Buster/Stable:
squid 4.6-2
squid-common 4.6-2
squid-deb-proxy 0.8.14+nmu2
squid-deb-proxy-client 0.8.14+nmu2
squid-langpack 20190110-1
Sid warnings:
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: Starting Squid Deb HTTP Proxy: squid-deb-proxy2019/07/21 11:14:24| ERROR: Can not open file /etc/squid-deb-proxy/autogenerated/allowed-networks-src.acl for reading
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Warning: empty ACL: acl allowed_networks src "/etc/squid-deb-proxy/autogenerated/allowed-networks-src.acl"
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| ERROR: Can not open file /etc/squid-deb-proxy/autogenerated/mirror-dstdomain.acl for reading
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Warning: empty ACL: acl to_archive_mirrors dstdomain "/etc/squid-deb-proxy/autogenerated/mirror-dstdomain.acl"
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| ERROR: Can not open file /etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl for reading
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Warning: empty ACL: acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Created PID file (/var/run/squid-deb-proxy.pid)
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Current Directory is /
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Creating missing swap directories
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| /var/cache/squid-deb-proxy exists
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/00
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/01
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/02
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/03
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/04
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/05
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/06
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/07
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/08
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/09
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/0A
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/0B
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/0C
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/0D
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/0E
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Making directories in /var/cache/squid-deb-proxy/0F
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Removing PID file (/var/run/squid-deb-proxy.pid)
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| gnutls_certificate_credentials destruct this=0x55bf7c9a17e0
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: 2019/07/21 11:14:24| Warning: empty ACL: acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"
Jul 21 11:14:24 tosh avahi-daemon[887]: Loading service file /services/squid-deb-proxy.service.
Jul 21 11:14:24 tosh squid-deb-proxy[13986]: .
Jul 21 11:14:25 tosh avahi-daemon[887]: Service "Squid deb proxy on Tosh" (/services/squid-deb-proxy.service) successfully established.
Graham Cobb
Dec 1, 2019, 2:20:04 PM12/1/19
to
Package: squid-deb-proxy
Version: 0.8.14+nmu2
Followup-For: Bug #932501
I am just updating this report to indicate that this bug still exists in
this version.
The workround in the original report seems to work, but without it,
squid-deb-proxy is useless.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (900, 'testing')
ii debconf [debconf-2.0] 1.5.73
ii squid 4.9-2
Versions of packages squid-deb-proxy recommends:
ii avahi-utils 0.7-4+b1
squid-deb-proxy suggests no packages.
-- Configuration Files:
/etc/squid-deb-proxy/squid-deb-proxy.conf changed [not included]
-- no debconf information
Version: 0.8.14+nmu2
Followup-For: Bug #932501
I am just updating this report to indicate that this bug still exists in
this version.
The workround in the original report seems to work, but without it,
squid-deb-proxy is useless.
-- System Information:
Debian Release: bullseye/sid
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_IE.utf8), LANGUAGE=en_IE.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_IE.utf8)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages squid-deb-proxy depends on:
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
ii debconf [debconf-2.0] 1.5.73
ii squid 4.9-2
Versions of packages squid-deb-proxy recommends:
ii avahi-utils 0.7-4+b1
squid-deb-proxy suggests no packages.
-- Configuration Files:
/etc/squid-deb-proxy/squid-deb-proxy.conf changed [not included]
-- no debconf information
Jérémy Viès
Apr 13, 2021, 2:20:04 PM4/13/21
to
Hi,
Just to confirm the issue is still present in bullseye current release.
I had to add the following lines to apparmor configuration to make it work.
/etc/squid-deb-proxy/** r,
/var/log/squid-deb-proxy/* rw,
/var/log/squid-deb-proxy/* rw,
/run/squid-deb-proxy.pid rwk,
/var/cache/squid-deb-proxy/** rw,
/var/cache/squid-deb-proxy/** rw,
Best regards
Hideki Yamane
Jun 14, 2021, 11:50:03 AM6/14/21
to
diff -Nru squid-deb-proxy-0.8.15/debian/apparmor-profiles/squid-deb-proxy squid-deb-proxy-0.8.15+nmu1/debian/apparmor-profiles/squid-deb-proxy
--- squid-deb-proxy-0.8.15/debian/apparmor-profiles/squid-deb-proxy 1970-01-01 09:00:00.000000000 +0900
+++ squid-deb-proxy-0.8.15+nmu1/debian/apparmor-profiles/squid-deb-proxy 2021-06-14 23:38:09.000000000 +0900
@@ -0,0 +1,6 @@
+# vim:syntax=apparmor
+
+ /etc/squid-deb-proxy/** r,
+ /var/log/squid-deb-proxy/* rw,
+ /run/squid-deb-proxy.pid rwk,
+ /var/cache/squid-deb-proxy/** rw,
diff -Nru squid-deb-proxy-0.8.15/debian/changelog squid-deb-proxy-0.8.15+nmu1/debian/changelog
--- squid-deb-proxy-0.8.15/debian/changelog 2020-01-19 03:00:55.000000000 +0900
+++ squid-deb-proxy-0.8.15+nmu1/debian/changelog 2021-06-14 23:41:11.000000000 +0900
@@ -1,3 +1,10 @@
+squid-deb-proxy (0.8.15+nmu1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add apparmor profiles to work (Closes: #932501)
+
+ -- Hideki Yamane <hen...@debian.org> Mon, 14 Jun 2021 23:41:11 +0900
+
squid-deb-proxy (0.8.15) unstable; urgency=medium
[ Graham Cantin ]
diff -Nru squid-deb-proxy-0.8.15/debian/squid-deb-proxy.dirs squid-deb-proxy-0.8.15+nmu1/debian/squid-deb-proxy.dirs
--- squid-deb-proxy-0.8.15/debian/squid-deb-proxy.dirs 2020-01-10 19:02:40.000000000 +0900
+++ squid-deb-proxy-0.8.15+nmu1/debian/squid-deb-proxy.dirs 2021-06-14 23:40:40.000000000 +0900
@@ -1,2 +1,3 @@
etc/resolvconf/update-libc.d
+etc/apparmor.d/abstractions/squid-deb-proxy
var/log/squid-deb-proxy
diff -Nru squid-deb-proxy-0.8.15/debian/squid-deb-proxy.install squid-deb-proxy-0.8.15+nmu1/debian/squid-deb-proxy.install
--- squid-deb-proxy-0.8.15/debian/squid-deb-proxy.install 2020-01-10 19:02:40.000000000 +0900
+++ squid-deb-proxy-0.8.15+nmu1/debian/squid-deb-proxy.install 2021-06-14 23:40:21.000000000 +0900
@@ -1,3 +1,4 @@
../update-libc.d etc/resolvconf/
etc/squid-deb-proxy
init-common.sh usr/share/squid-deb-proxy/
+../apparmor-profiles/* etc/apparmor.d/abstractions/squid-deb-proxy/
Sebastian Ramacher
Jul 18, 2021, 4:50:03 PM7/18/21
to
Control: reopen -1
The fix is incomplete. The version in unstable fails to start with the
same error.
Cheers
On 2021-06-18 12:27:03 +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the src:squid-deb-proxy package:
>
> #932501: squid-deb-proxy: daemon does not start due to the conf file not being allowed by apparmor
>
> It has been closed by Debian FTP Masters <ftpm...@ftp-master.debian.org> (reply to Hideki Yamane <hen...@debian.org>).
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Debian FTP Masters <ftpm...@ftp-master.debian.org> (reply to Hideki Yamane <hen...@debian.org>) by
> replying to this email.
>
>
> --
> 932501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932501
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
> Date: Fri, 18 Jun 2021 12:23:38 +0000
> From: Debian FTP Masters <ftpm...@ftp-master.debian.org>
> To: 932501...@bugs.debian.org
> Subject: Bug#932501: fixed in squid-deb-proxy 0.8.15+nmu1
> Reply-To: Hideki Yamane <hen...@debian.org>
> Message-Id: <E1luDX8-...@fasolo.debian.org>
>
> Date: Sat, 20 Jul 2019 16:46:08 +1200
> From: jfp <j...@clearfield.com>
> To: Debian Bug Tracking System <sub...@bugs.debian.org>
> Subject: squid-deb-proxy: daemon does not start due to the conf file not
> being allowed by apparmor
> Message-ID: <156359796858.12274.95082...@tosh.clearfield.private>
--
Sebastian Ramacher
The fix is incomplete. The version in unstable fails to start with the
same error.
Cheers
On 2021-06-18 12:27:03 +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the src:squid-deb-proxy package:
>
> #932501: squid-deb-proxy: daemon does not start due to the conf file not being allowed by apparmor
>
> It has been closed by Debian FTP Masters <ftpm...@ftp-master.debian.org> (reply to Hideki Yamane <hen...@debian.org>).
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Debian FTP Masters <ftpm...@ftp-master.debian.org> (reply to Hideki Yamane <hen...@debian.org>) by
> replying to this email.
>
>
> --
> 932501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932501
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
> Date: Fri, 18 Jun 2021 12:23:38 +0000
> From: Debian FTP Masters <ftpm...@ftp-master.debian.org>
> To: 932501...@bugs.debian.org
> Subject: Bug#932501: fixed in squid-deb-proxy 0.8.15+nmu1
> Reply-To: Hideki Yamane <hen...@debian.org>
> Message-Id: <E1luDX8-...@fasolo.debian.org>
>
> Date: Sat, 20 Jul 2019 16:46:08 +1200
> From: jfp <j...@clearfield.com>
> To: Debian Bug Tracking System <sub...@bugs.debian.org>
> Subject: squid-deb-proxy: daemon does not start due to the conf file not
> being allowed by apparmor
> Message-ID: <156359796858.12274.95082...@tosh.clearfield.private>
Sebastian Ramacher
Jukka Neppius
Aug 19, 2021, 5:20:04 AM8/19/21
to
After upgrade to bullseye I get:
Aug 19 09:56:59 dell2 systemd[1]: Starting LSB: Squid Deb Package HTTP Proxy...
Aug 19 09:56:59 dell2 squid-deb-proxy[6871]: Starting Squid Deb HTTP Proxy: squid-deb-proxy
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: 2021/08/19 09:56:59| FATAL: Unable to open configuration file: /etc/squid-deb-proxy/squid-deb-proxy.conf: (13) Permission denied
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: 2021/08/19 09:56:59| Squid Cache (Version 4.13): Terminated abnormally.
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: CPU Usage: 0.022 seconds = 0.015 user + 0.007 sys
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: Maximum Resident Size: 50240 KB
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: Page faults with physical i/o: 0
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: 2021/08/19 09:57:00| FATAL: Unable to open configuration file: /etc/squid-deb-proxy/squid-deb-proxy.conf: (13) Permission denied
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: 2021/08/19 09:57:00| Squid Cache (Version 4.13): Terminated abnormally.
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: CPU Usage: 0.023 seconds = 0.011 user + 0.011 sys
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: Maximum Resident Size: 50608 KB
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: Page faults with physical i/o: 0
Aug 19 09:57:00 dell2 squid-deb-proxy[6890]: failed!
Aug 19 09:57:00 dell2 systemd[1]: Started LSB: Squid Deb Package HTTP Proxy.
drwxr-xr-x 6 root root 4096 18. 8. 22:16 /etc/squid-deb-proxy
-rw-r--r-- 1 root root 3368 26. 2. 2019 /etc/squid-deb-proxy/squid-deb-proxy.conf
ls -lc /etc/apparmor.d/usr.sbin.squid
-rw-r--r-- 1 root root 1485 18. 8. 22:15 /etc/apparmor.d/usr.sbin.squid
So it came with upgrade. I have not modified it yet.
It has '/etc/squid/** r,'
I added:
/etc/squid-deb-proxy/** r,
/var/log/squid-deb-proxy/* rw,
/var/run/squid-deb-proxy.pid rwk,
and non standart /data/cache/squid-deb-proxy/** rw, because I have moved squid cache
Thanks to Jérémy Viès
apparmor_parser -r /etc/apparmor.d/usr.sbin.squid
systemctl restart squid-deb-proxy
Thanks to jfp
Aug 19 11:35:29 dell2 systemd[1]: Starting LSB: Squid Deb Package HTTP Proxy...
Aug 19 11:35:29 dell2 squid-deb-proxy[8952]: Starting Squid Deb HTTP Proxy: squid-deb-proxy
Aug 19 11:35:29 dell2 squid-deb-proxy[8960]: 2021/08/19 11:35:29| Warning: empty ACL: acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"
Aug 19 11:35:29 dell2 squid-deb-proxy[8960]: 2021/08/19 11:35:29| FATAL: failed to open /var/run/squid-deb-proxy.pid: (13) Permission denied
Aug 19 11:35:29 dell2 squid-deb-proxy[8960]: exception location: File.cc(190) open
Aug 19 11:35:29 dell2 squid-deb-proxy[8971]: 2021/08/19 11:35:29| Warning: empty ACL: acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"
Aug 19 11:35:29 dell2 avahi-daemon[457]: Files changed, reloading.
Aug 19 11:35:29 dell2 avahi-daemon[457]: Loading service file /services/squid-deb-proxy.service.
Aug 19 11:35:29 dell2 squid-deb-proxy[8952]: .
Aug 19 11:35:29 dell2 systemd[1]: Started LSB: Squid Deb Package HTTP Proxy.
I changed to
/run/squid-deb-proxy.pid rwk,
because: lrwxrwxrwx 1 root root 4 15. 1. 2015 /var/run -> /run
Now it works! Only those 'empty ACL' warnings remain.
- jkn
Aug 19 09:56:59 dell2 systemd[1]: Starting LSB: Squid Deb Package HTTP Proxy...
Aug 19 09:56:59 dell2 squid-deb-proxy[6871]: Starting Squid Deb HTTP Proxy: squid-deb-proxy
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: 2021/08/19 09:56:59| FATAL: Unable to open configuration file: /etc/squid-deb-proxy/squid-deb-proxy.conf: (13) Permission denied
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: 2021/08/19 09:56:59| Squid Cache (Version 4.13): Terminated abnormally.
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: CPU Usage: 0.022 seconds = 0.015 user + 0.007 sys
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: Maximum Resident Size: 50240 KB
Aug 19 09:56:59 dell2 squid-deb-proxy[6878]: Page faults with physical i/o: 0
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: 2021/08/19 09:57:00| FATAL: Unable to open configuration file: /etc/squid-deb-proxy/squid-deb-proxy.conf: (13) Permission denied
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: 2021/08/19 09:57:00| Squid Cache (Version 4.13): Terminated abnormally.
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: CPU Usage: 0.023 seconds = 0.011 user + 0.011 sys
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: Maximum Resident Size: 50608 KB
Aug 19 09:57:00 dell2 squid-deb-proxy[6889]: Page faults with physical i/o: 0
Aug 19 09:57:00 dell2 squid-deb-proxy[6890]: failed!
Aug 19 09:57:00 dell2 systemd[1]: Started LSB: Squid Deb Package HTTP Proxy.
drwxr-xr-x 6 root root 4096 18. 8. 22:16 /etc/squid-deb-proxy
-rw-r--r-- 1 root root 3368 26. 2. 2019 /etc/squid-deb-proxy/squid-deb-proxy.conf
ls -lc /etc/apparmor.d/usr.sbin.squid
-rw-r--r-- 1 root root 1485 18. 8. 22:15 /etc/apparmor.d/usr.sbin.squid
So it came with upgrade. I have not modified it yet.
It has '/etc/squid/** r,'
I added:
/etc/squid-deb-proxy/** r,
/var/log/squid-deb-proxy/* rw,
/var/run/squid-deb-proxy.pid rwk,
and non standart /data/cache/squid-deb-proxy/** rw, because I have moved squid cache
Thanks to Jérémy Viès
apparmor_parser -r /etc/apparmor.d/usr.sbin.squid
systemctl restart squid-deb-proxy
Aug 19 11:35:29 dell2 systemd[1]: Starting LSB: Squid Deb Package HTTP Proxy...
Aug 19 11:35:29 dell2 squid-deb-proxy[8952]: Starting Squid Deb HTTP Proxy: squid-deb-proxy
Aug 19 11:35:29 dell2 squid-deb-proxy[8960]: 2021/08/19 11:35:29| Warning: empty ACL: acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"
Aug 19 11:35:29 dell2 squid-deb-proxy[8960]: 2021/08/19 11:35:29| FATAL: failed to open /var/run/squid-deb-proxy.pid: (13) Permission denied
Aug 19 11:35:29 dell2 squid-deb-proxy[8960]: exception location: File.cc(190) open
Aug 19 11:35:29 dell2 squid-deb-proxy[8971]: 2021/08/19 11:35:29| Warning: empty ACL: acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"
Aug 19 11:35:29 dell2 avahi-daemon[457]: Files changed, reloading.
Aug 19 11:35:29 dell2 avahi-daemon[457]: Loading service file /services/squid-deb-proxy.service.
Aug 19 11:35:29 dell2 squid-deb-proxy[8952]: .
Aug 19 11:35:29 dell2 systemd[1]: Started LSB: Squid Deb Package HTTP Proxy.
I changed to
/run/squid-deb-proxy.pid rwk,
because: lrwxrwxrwx 1 root root 4 15. 1. 2015 /var/run -> /run
Now it works! Only those 'empty ACL' warnings remain.
- jkn
Stefano Rivera
Jul 21, 2023, 9:20:05 AM7/21/23
to
Hi Adrian (2021.05.30_21:44:58_+0200)
> severity 932501 serious
I'm wondering if this bug should really be serious. Squid's apparmor
config is shipped disabled, so one has to manually enable it to trigger
this bug.
I would have gone for normal/important.
I don't know what the correct solution to this bug is. Presumably one
has to get the squid profile to include the abstraction that
squid-deb-proxy provides. I don't know how this is usually done in a
Debian package. Maybe one of the apparmor team can comment.
Stefano
--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272
> severity 932501 serious
I'm wondering if this bug should really be serious. Squid's apparmor
config is shipped disabled, so one has to manually enable it to trigger
this bug.
I would have gone for normal/important.
I don't know what the correct solution to this bug is. Presumably one
has to get the squid profile to include the abstraction that
squid-deb-proxy provides. I don't know how this is usually done in a
Debian package. Maybe one of the apparmor team can comment.
Stefano
--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272
Christian Boltz
Jul 22, 2023, 3:51:35 PM7/22/23
to
Hello,
Am Freitag, 21. Juli 2023, 15:05:52 CEST schrieb Stefano Rivera:
> > severity 932501 serious
>
> I'm wondering if this bug should really be serious. Squid's apparmor
> config is shipped disabled, so one has to manually enable it to
> trigger this bug.
>
> I would have gone for normal/important.
>
> I don't know what the correct solution to this bug is. Presumably one
> has to get the squid profile to include the abstraction that
> squid-deb-proxy provides. I don't know how this is usually done in a
> Debian package. Maybe one of the apparmor team can comment.
The interesting part is that the abstraction is shipped in squid-deb-
proxy, while the squid profile comes from another package (I didn't check
which one).
I guess the best you can have is to add
include if exists <abstractions/squid-deb-proxy>
in the squid profile so that it will include the abstraction if it
exists, and doesn't complain if it doesn't.
Note that the AppArmor profile cache is only timestamp-based [1], so if
you install squid-deb-proxy (and had the squid AppArmor profile loaded
before), it might happen that the cache file is never than the squid-deb-
proxy abstraction, with the result that the cache doesn't get updated.
(Workaround: delete the cache file, then reload the profile.)
The alternative is to add the rules needed for squid-deb-proxy directly
to the squid profile. This adds some "superfluous" rules for people who
don't use squid-deb-proxy, but on the positive side it avoids the cache
issue.
BTW: https://packages.debian.org/sid/all/squid-deb-proxy/filelist says
the abstraction is packaged as
/etc/apparmor.d/abstractions/squid-deb-proxy/squid-deb-proxy
which looks slightly wrong ;-) It should just be
/etc/apparmor.d/abstractions/squid-deb-proxy
(assuming no other files get deployed to
/etc/apparmor.d/abstractions/squid-deb-proxy/ )
Bonus points if you add
include if exists <abstractions/squid-deb-proxy.d>
to the abstraction ;-)
For the records: include if exists needs AppArmor >= 3.0 userspace.
Regards,
Christian Boltz
[1] Using a better cache validation method like checking the checksum of
the text profile is on the TODO list upstream, but not implemented
yet.
--
[SuSE vs. SUSE] As a friend of mine elsewhere remarked, the picky
spelling capitalization scheme reinforces the idea that Linux is
case-sensitive, so these are "sensitive" issues and certainly worth
discussing (for us, at least)! :) [Shriramana Sharma in opensuse]
Am Freitag, 21. Juli 2023, 15:05:52 CEST schrieb Stefano Rivera:
> > severity 932501 serious
>
> I'm wondering if this bug should really be serious. Squid's apparmor
> config is shipped disabled, so one has to manually enable it to
> trigger this bug.
>
> I would have gone for normal/important.
>
> I don't know what the correct solution to this bug is. Presumably one
> has to get the squid profile to include the abstraction that
> squid-deb-proxy provides. I don't know how this is usually done in a
> Debian package. Maybe one of the apparmor team can comment.
proxy, while the squid profile comes from another package (I didn't check
which one).
I guess the best you can have is to add
include if exists <abstractions/squid-deb-proxy>
in the squid profile so that it will include the abstraction if it
exists, and doesn't complain if it doesn't.
Note that the AppArmor profile cache is only timestamp-based [1], so if
you install squid-deb-proxy (and had the squid AppArmor profile loaded
before), it might happen that the cache file is never than the squid-deb-
proxy abstraction, with the result that the cache doesn't get updated.
(Workaround: delete the cache file, then reload the profile.)
The alternative is to add the rules needed for squid-deb-proxy directly
to the squid profile. This adds some "superfluous" rules for people who
don't use squid-deb-proxy, but on the positive side it avoids the cache
issue.
BTW: https://packages.debian.org/sid/all/squid-deb-proxy/filelist says
the abstraction is packaged as
/etc/apparmor.d/abstractions/squid-deb-proxy/squid-deb-proxy
which looks slightly wrong ;-) It should just be
/etc/apparmor.d/abstractions/squid-deb-proxy
(assuming no other files get deployed to
/etc/apparmor.d/abstractions/squid-deb-proxy/ )
Bonus points if you add
include if exists <abstractions/squid-deb-proxy.d>
to the abstraction ;-)
For the records: include if exists needs AppArmor >= 3.0 userspace.
Regards,
Christian Boltz
[1] Using a better cache validation method like checking the checksum of
the text profile is on the TODO list upstream, but not implemented
yet.
--
[SuSE vs. SUSE] As a friend of mine elsewhere remarked, the picky
spelling capitalization scheme reinforces the idea that Linux is
case-sensitive, so these are "sensitive" issues and certainly worth
discussing (for us, at least)! :) [Shriramana Sharma in opensuse]
0 new messages