apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied

[steve]

Hi there,

Purged and then reinstalled apache2 and when I want to start apache2,
here's what I get:

# systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 13s ago
Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)

oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
oct 16 07:22:01 box apachectl[32122]: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied
oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more information.
oct 16 07:22:02 box systemd[1]: apache2.service: Control process exited, code=exited status=1
oct 16 07:22:02 box systemd[1]: apache2.service: Failed with result 'exit-code'.
oct 16 07:22:02 box systemd[1]: Failed to start The Apache HTTP Server.


ls -l /etc/apache2/apache2.conf
-rw-r--r-- 1 root root 7224 jun 2 10:01 /etc/apache2/apache2.conf


Getting nuts.

Any ideas?

Thanks

[Steve Kemp]

>
> ls -l /etc/apache2/apache2.conf
> -rw-r--r-- 1 root root 7224 jun 2 10:01 /etc/apache2/apache2.conf
>
>
> Getting nuts.

Probably the permissions on /etc/apache2, or /etc are broken for the
user www-data.

Assuming you have sudo installed you can become "www-data", and test:

sudo su - www-data -s /bin/sh
cd /etc/
cd apache2
cat apache2.conf

Steve
--

[Reco]

Hi.

On Tue, Oct 16, 2018 at 07:31:17AM +0200, steve wrote:
> Hi there,
>
> Purged and then reinstalled apache2 and when I want to start apache2,
> here's what I get:
>
> # systemctl status apache2.service
> ● apache2.service - The Apache HTTP Server
> Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
> Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 13s ago
> Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
>
> oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
> oct 16 07:22:01 box apachectl[32122]: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied
> oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
> oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more information.

So, does the 'Apache error log' have anything useful?

> ls -l /etc/apache2/apache2.conf
> -rw-r--r-- 1 root root 7224 jun 2 10:01 /etc/apache2/apache2.conf

First things first, it's 'ls -lZ /etc/apache2/apache2.conf'.
Next thing to check is 'ls -ald / /etc /etc/apache2'.
And, finally, /var/log/audit/audit.log if you have auditd installed
(hint - install it if you don't).

Reco

[Martin]

Am 16.10.18 um 07:31 schrieb steve:

> Hi there,
>
> Purged and then reinstalled apache2 and when I want to start apache2,
> here's what I get:
>
> # systemctl status apache2.service

What is your 'id'?

> ● apache2.service - The Apache HTTP Server
>   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
>   Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 13s ago
>  Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
>
> oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
> oct 16 07:22:01 box apachectl[32122]: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied
> oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
> oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more information.
> oct 16 07:22:02 box systemd[1]: apache2.service: Control process exited, code=exited status=1
> oct 16 07:22:02 box systemd[1]: apache2.service: Failed with result 'exit-code'.
> oct 16 07:22:02 box systemd[1]: Failed to start The Apache HTTP Server.

Do you have any SSLCertificateKeyFile configured? Check permissions first, as a normal user can not read those.

[Martin]

Am 16.10.18 um 08:39 schrieb Steve Kemp:

>>
>> ls -l /etc/apache2/apache2.conf
>> -rw-r--r-- 1 root root 7224 jun 2 10:01 /etc/apache2/apache2.conf

[...]

> sudo su - www-data -s /bin/sh

Don't use sudo with su. It is evil.
You want to use 'sudo -i' in this case.

[...]

[Joe]

Surely apache2 starts up as root, in order to obtain port 80, and then
drops privilege to www-data? It must read the configuration files while
root, or else it wouldn't know which port(s) it should request.

--
Joe

[Jonathan Dowland]

On Tue, Oct 16, 2018 at 10:09:39AM +0200, Martin wrote:
>> sudo su - www-data -s /bin/sh
>
>Don't use sudo with su. It is evil.
>You want to use 'sudo -i' in this case.

Fascism is evil. This is just unnecessary.

(I'm guilty of still typing "sudo su -" via muscle memory even after
your messages on the subject. I asked a former UNIX sysadmin colleague
of mine and he does the same. We suspect that it was from our days
supporting Solaris, and a sudo that did not implement -i.)

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.

[Martin]

Am 16.10.18 um 11:56 schrieb Jonathan Dowland:

> On Tue, Oct 16, 2018 at 10:09:39AM +0200, Martin wrote:
>>>     sudo su - www-data -s /bin/sh
>>
>> Don't use sudo with su. It is evil.
>> You want to use 'sudo -i' in this case.
>
> Fascism is evil. This is just unnecessary.

Good point.

>
> (I'm guilty of still typing "sudo su -" via muscle memory even after
> your messages on the subject. I asked a former UNIX sysadmin colleague
> of mine and he does the same. We suspect that it was from our days
> supporting Solaris, and a sudo that did not implement -i.)

I know. And if I do right, it was not even officially available for Solaris. It came from this Sunfreeware site. Which still exists with a sudo version from 2014.

Cheers on that, old man!!

[Gene Heskett]

On Tuesday 16 October 2018 05:56:31 Jonathan Dowland wrote:

> On Tue, Oct 16, 2018 at 10:09:39AM +0200, Martin wrote:
> >> sudo su - www-data -s /bin/sh
> >
> >Don't use sudo with su. It is evil.
> >You want to use 'sudo -i' in this case.
>
> Fascism is evil. This is just unnecessary.
>
> (I'm guilty of still typing "sudo su -" via muscle memory even after
> your messages on the subject. I asked a former UNIX sysadmin colleague
> of mine and he does the same. We suspect that it was from our days
> supporting Solaris, and a sudo that did not implement -i.)

Since leaving a sudo -i laying about is considered a security breach, I'm
amazed that the -i option doesn't accept a timeout. Say in seconds, as
if you think it will take 5 minutes to do the job as root, sudo -i300,
at the ends of which it expires. That makes more sense than
the "-i"less 1/2 minute of inactivity to me. At least the exposure is
limited to less time than it takes to refill your caffeine container and
catch up on the gossip at the water fountain. ;-)

--
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

[Greg Wooledge]

On Tue, Oct 16, 2018 at 11:28:44AM -0400, Gene Heskett wrote:
> Since leaving a sudo -i laying about is considered a security breach, I'm
> amazed that the -i option doesn't accept a timeout. Say in seconds, as
> if you think it will take 5 minutes to do the job as root, sudo -i300,
> at the ends of which it expires.

You could set the TMOUT variable in the resulting shell, either manually
or by a setting in some rc file (e.g. /root/.bashrc if that's what the
shell reads).

[Gene Heskett]

This would be about as handy as a 2x2 alongside the ear, by making it
automatic but fixed. On this machine, 10 minutes is a great plenty to
run synaptic, but on the pi, 20 minutes or more would be needed. So
whats wrong with the sudo timeout being set at the launch time? And
sitting here thinking, thats not a bad idea as you could set a shorter
time than it takes to do whatever, in the meantime its timed out, so
whenever that utility gets done, the su has long since timed out,
leaving no exposure when whatever was launched with root priv's keeps on
doing what it does. Best of both IMO.

Something to consider, Greg, and thank you.

[Gene Heskett]

On Tuesday 16 October 2018 11:37:44 Greg Wooledge wrote:

Okayyy, TMOUT=30, and 30 seconds later it does time out, returning me to
my user prompt.

And I ran synaptic and it didn't time out till 30 secs after I had quit
synaptic which leaves an exploitable hole. Synaptic took way more, than
the 30 I set TMOUT to. Ideally it should have returned to the users
prompt at the synaptic exit, or would that leave trash behind?

Anyway, many thanks for the schooling, Greg. Even after 20 years, I
hadn't heard of that before.

[David Wright]

On Tue 16 Oct 2018 at 12:24:49 (-0400), Gene Heskett wrote:
> On Tuesday 16 October 2018 11:37:44 Greg Wooledge wrote:
>
> > On Tue, Oct 16, 2018 at 11:28:44AM -0400, Gene Heskett wrote:
> > > Since leaving a sudo -i laying about is considered a security
> > > breach, I'm amazed that the -i option doesn't accept a timeout. Say
> > > in seconds, as if you think it will take 5 minutes to do the job as
> > > root, sudo -i300, at the ends of which it expires.
> >
> > You could set the TMOUT variable in the resulting shell, either
> > manually or by a setting in some rc file (e.g. /root/.bashrc if that's
> > what the shell reads).
>
> Okayyy, TMOUT=30, and 30 seconds later it does time out, returning me to
> my user prompt.
>
> And I ran synaptic and it didn't time out till 30 secs after I had quit
> synaptic which leaves an exploitable hole. Synaptic took way more, than
> the 30 I set TMOUT to. Ideally it should have returned to the users
> prompt at the synaptic exit, or would that leave trash behind?
>
> Anyway, many thanks for the schooling, Greg. Even after 20 years, I
> hadn't heard of that before.

Hm, to be honest, TMOUT seems like a historical relic of a bygone era
when using an idle login shell implied that you were hogging a slot
that others were waiting to access. (And when the shell exited, we
neighbouring users would have to endure the motor noise of their
A/KSR 33 until *its* timeout expired.)

If you want a suicidal command that logs you out as soon as you quit,
you could wrap it up as a bash function and put it into root's .bashrc;
something like for example

function aptitude-pop {
aptitude
exit
}

Cheers,
David.

[steve]

Le 16-10-2018, à 09:51:22 +0300, Reco a écrit :

> Hi.
>
>On Tue, Oct 16, 2018 at 07:31:17AM +0200, steve wrote:
>> Hi there,
>>
>> Purged and then reinstalled apache2 and when I want to start apache2,
>> here's what I get:
>>
>> # systemctl status apache2.service
>> ● apache2.service - The Apache HTTP Server
>> Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
>> Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 13s ago
>> Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
>>
>> oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
>> oct 16 07:22:01 box apachectl[32122]: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied
>> oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
>> oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more information.
>
>So, does the 'Apache error log' have anything useful?

Nothing. It's empty.

>> ls -l /etc/apache2/apache2.conf
>> -rw-r--r-- 1 root root 7224 jun 2 10:01 /etc/apache2/apache2.conf
>
>First things first, it's 'ls -lZ /etc/apache2/apache2.conf'.

# ls -lZ /etc/apache2/apache2.conf
-rw-r--r-- 1 root root ? 7224 jun 2 10:01 /etc/apache2/apache2.conf

>Next thing to check is 'ls -ald / /etc /etc/apache2'.

# ls -ald /etc/apache2
drwxr-xr-x 8 root root 4096 oct 16 07:21 /etc/apache2

>And, finally, /var/log/audit/audit.log if you have auditd installed
>(hint - install it if you don't).

grep apache /var/log/audit/audit.log

type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:76): arch=c000003e syscall=2 success=no exit=-13 a0=7fe220cac22a a1=80000 a2=1b6 a3=80000 items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/apache2/apache2.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:77): arch=c000003e syscall=2 success=no exit=-13 a0=7fe2219b6f70 a1=80000 a2=1b6 a3=ffffffffffffff7f items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=apache2 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'


Seems fine to me.


Steve

[steve]

Le 16-10-2018, à 06:39:01 +0000, Steve Kemp a écrit :

>>
>> ls -l /etc/apache2/apache2.conf
>> -rw-r--r-- 1 root root 7224 jun 2 10:01 /etc/apache2/apache2.conf
>>
>>
>> Getting nuts.
>
> Probably the permissions on /etc/apache2, or /etc are broken for the
> user www-data.

ls -l /etc
drwxr-xr-x 213 root root 16384 oct 17 06:28

ls -l /etc/apache2
total 80
-rw-r--r-- 1 root root 7224 jun 2 10:01 apache2.conf
drwxr-xr-x 2 root root 4096 oct 16 06:56 conf-available
drwxr-xr-x 2 root root 4096 oct 16 06:57 conf-enabled
-rw-r--r-- 1 root root 1782 avr 5 2018 envvars
-rw-r--r-- 1 root root 31063 sep 19 2017 magic
drwxr-xr-x 2 root root 12288 oct 16 06:57 mods-available
drwxr-xr-x 2 root root 4096 oct 16 06:57 mods-enabled
-rw-r--r-- 1 root root 320 sep 19 2017 ports.conf
drwxr-xr-x 2 root root 4096 oct 16 06:57 sites-available
drwxr-xr-x 2 root root 4096 oct 16 06:57 sites-enabled

> Assuming you have sudo installed you can become "www-data", and test:
>
> sudo su - www-data -s /bin/sh
> cd /etc/
> cd apache2
> cat apache2.conf

All fine, www-data can read the file.

[Steve Kemp]

To recap you reported the original error:

> apache2: Could not open configuration file /etc/apache2/apache2.conf:
> Permission denied

Now you've provided more details, from your audit-log:

> type=AVC msg=audit(1539750555.347:77): apparmor="DENIED"
> operation="open" profile="/usr/sbin/apache2"
> name="/etc/apache2/apache2.conf" pid=17485 comm="apache2"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0

There you see "DENIED" along with "exit=-13". You can lookup
the meaning of "-13" via this command but I'll guess it correpondes to
EPERM ("permission denied"):

ausearch --interpret --exit -13

In conclusion: You're using apparmor, it prevented the process from
opening the configuration file, which stopped the service from starting.
That was logged explicitly :)

To fix this either:

1. Fix apparmor so that you can open the file.

2. Disable apparmor.

The first might be as simple as `systemctl restart apparmor.service`,
that's working on the basis that:

* You had apparmor installed.
* You've now just installed apache.
* This will have given you new apparmor rules.
* But they won't be loaded because apparmor wasn't reloaded.
* So apache failed.

I'm not 100% sure if that is the case, but it seems likely. If not
you'll need to do some reading. Perhaps start here:

https://wiki.debian.org/AppArmor

Steve
--

[Reco]

Hi.

On Wed, Oct 17, 2018 at 06:33:09AM +0200, steve wrote:
> Le 16-10-2018, à 09:51:22 +0300, Reco a écrit :
>
> > Hi.
> >
> > On Tue, Oct 16, 2018 at 07:31:17AM +0200, steve wrote:
> > > Hi there,
> > >
> > > Purged and then reinstalled apache2 and when I want to start apache2,
> > > here's what I get:
> > >
> > > # systemctl status apache2.service
> > > ● apache2.service - The Apache HTTP Server
> > > Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
> > > Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; 13s ago
> > > Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
> > >
> > > oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server...
> > > oct 16 07:22:01 box apachectl[32122]: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied
> > > oct 16 07:22:02 box apachectl[32122]: Action 'start' failed.
> > > oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more information.
> >
> > So, does the 'Apache error log' have anything useful?
>
> Nothing. It's empty.

And that, my dear list, shows us that in that particular case systemd
journal is useless. It was expected though, as it's the usual thing with
it - it's able to tell you that something is wrong, but it never tells
you the actual cause of it.

> > > ls -l /etc/apache2/apache2.conf
> > > -rw-r--r-- 1 root root 7224 jun 2 10:01 /etc/apache2/apache2.conf
> >
> > First things first, it's 'ls -lZ /etc/apache2/apache2.conf'.
>
> # ls -lZ /etc/apache2/apache2.conf -rw-r--r-- 1 root root ? 7224 jun 2 10:01 /etc/apache2/apache2.conf

And that shows us that you aren't using SELinux.

> > Next thing to check is 'ls -ald / /etc /etc/apache2'.
>
> # ls -ald /etc/apache2
> drwxr-xr-x 8 root root 4096 oct 16 07:21 /etc/apache2

Original command contains three directories, you show just one.
A hint - all three could be important in this case.

> > And, finally, /var/log/audit/audit.log if you have auditd installed
> > (hint - install it if you don't).
>
> grep apache /var/log/audit/audit.log
>
> type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=SYSCALL msg=audit(1539750555.347:76): arch=c000003e syscall=2 success=no exit=-13 a0=7fe220cac22a a1=80000 a2=1b6 a3=80000 items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
> type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/apache2/apache2.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=SYSCALL msg=audit(1539750555.347:77): arch=c000003e syscall=2 success=no exit=-13 a0=7fe2219b6f70 a1=80000 a2=1b6 a3=ffffffffffffff7f items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
> type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=apache2 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
>
> Seems fine to me.

On the contrary. These show that apache2 binary was denied from reading
/etc/gai.conf *and* /etc/apache2/apache2.conf by some Mandatory Access
Control (audit record type AVC).
Since you're using Debian, I suspect AppArmor.

First things first, Apparmor (and any kind of MAC) is a good thing,
especially in your typical server environment. They'll suggest you to
disable it - don't. Lowering overall security of your OS is not worth
it.

Second, Debian does not provide apparmor profiles for apache. Whatever
profile is active in your installation is a result of local
misconfiguration.

Third, it's fixable. Install apparmor-utils.
Invoke 'aa-complain /usr/sbin/apache2'.
Start your apache2 service, stop it and start again.
Make some GET/PUT requests to it.
Invoke 'aa-logprof' and generate Apparmor profile that's uniquely suited
for your environment.
Invoke 'aa-enforce /usr/sbin/apache2', and you're set.

Reco

[steve]

Le 17-10-2018, à 05:38:11 +0000, Steve Kemp a écrit :

>
> To recap you reported the original error:
>
>> apache2: Could not open configuration file /etc/apache2/apache2.conf:
>> Permission denied
>
> Now you've provided more details, from your audit-log:
>
>> type=AVC msg=audit(1539750555.347:77): apparmor="DENIED"
>> operation="open" profile="/usr/sbin/apache2"
>> name="/etc/apache2/apache2.conf" pid=17485 comm="apache2"
>> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
> There you see "DENIED" along with "exit=-13". You can lookup
> the meaning of "-13" via this command but I'll guess it correpondes to
> EPERM ("permission denied"):
>
> ausearch --interpret --exit -13
>
> In conclusion: You're using apparmor, it prevented the process from
> opening the configuration file, which stopped the service from starting.
> That was logged explicitly :)

Good point. But since I have not explicitly installed apparmor and thus
don't know how to use it (was installed during an update I guess), I
didn't really bothered.

> To fix this either:
>
> 1. Fix apparmor so that you can open the file.
>
> 2. Disable apparmor.
>
> The first might be as simple as `systemctl restart apparmor.service`,
> that's working on the basis that:

Didn't work, same error message.

> * You had apparmor installed.
> * You've now just installed apache.

To be correct, I just reinstalled it.

Stopped apparmor then tried to start apache2, but same problem.

> * This will have given you new apparmor rules.
> * But they won't be loaded because apparmor wasn't reloaded.
> * So apache failed.
>
> I'm not 100% sure if that is the case, but it seems likely. If not
> you'll need to do some reading. Perhaps start here:
>
> https://wiki.debian.org/AppArmor

Yeah, I think I'm gonna have to do that.

But I must say it's a bit shitty because "before", all I had to do to
run apache was 'apt install apache2'. Don't understand why this apparmor
thing is screwing my habits…

Thanks for your help and pointers.

Steve

[steve]

Thanks Reco for your input.

I'll have to go trough it, but don't have time right now.


Steve

[steve]

Here, I get

Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Target profile exists: /etc/apparmor.d/usr.bin.nvidia-modprobe

Profile: libreoffice-soffice
Execute: /usr/bin/nvidia-modprobe
Severity: unknown

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish


What should I be expected to do?

Also, aa-status spits out

apparmor module is loaded.
63 profiles are loaded.
22 profiles are in enforce mode.
/usr/lib/cups/backend/cups-pdf
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/lib/telepathy/telepathy-*//pxgsettings
/usr/lib/telepathy/telepathy-*//sanitized_helper
/usr/lib/telepathy/telepathy-ofono
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/libvirtd
/usr/sbin/libvirtd//qemu_bridge_helper
/usr/sbin/mysqld-akonadi
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
thunderbird
thunderbird//browser_java
thunderbird//browser_openjdk
thunderbird//gpg
thunderbird//sanitized_helper
virt-aa-helper
41 profiles are in complain mode.
/usr/bin/nvidia-modprobe
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/sbin/apache2
/usr/sbin/apache2//DEFAULT_URI
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/sbin/smbldap-useradd
/usr/sbin/smbldap-useradd///etc/init.d/nscd
/usr/{sbin/traceroute,bin/traceroute.db}
klogd
libreoffice-oopslash
libreoffice-soffice
libreoffice-soffice//null-/usr/bin/nvidia-modprobe
libreoffice-soffice//null-/usr/bin/nvidia-modprobe//null-/bin/kmod
ping
syslog-ng
syslogd
15 processes have profiles defined.
3 processes are in enforce mode.
/usr/sbin/cups-browsed (25039)
/usr/sbin/cupsd (25038)
thunderbird (12250)
3 processes are in complain mode.
/usr/sbin/apache2 (11894)
/usr/sbin/apache2 (12019)
/usr/sbin/apache2 (12020)
9 processes are unconfined but have a profile defined.
/usr/sbin/avahi-daemon (1196)
/usr/sbin/avahi-daemon (1278)
/usr/sbin/dnsmasq (1444)
/usr/sbin/nmbd (2436)
/usr/sbin/smbd (2457)
/usr/sbin/smbd (2458)
/usr/sbin/smbd (2459)
/usr/sbin/smbd (2479)
/usr/sbin/smbd (32743)


This is rather confusing.


What should I do with this?

>Invoke 'aa-enforce /usr/sbin/apache2', and you're set.

Profile for /usr/sbin/apache2 not found, skipping

I guess this is normal since I didn't finish the aa-logprof step.



Still reading on this new thing for me.

Thanks

Steve

[mick crane]

On 2018-10-18 05:11, steve wrote:

>
> Still reading on this new thing for me.
>
> Thanks
>
> Steve

I never came across this apparmor.
did you try stopping it with systemctl then see if apache works as
expected ?

mick

--
Key ID 4BFEBB31

[steve]

Le 18-10-2018, à 07:07:34 +0100, mick crane a écrit :

>On 2018-10-18 05:11, steve wrote:
>
>>
>>Still reading on this new thing for me.
>>
>>Thanks
>>
>>Steve
>
>I never came across this apparmor.
>did you try stopping it with systemctl then see if apache works as
>expected ?

Yes I did and apache failed to start.

[mick crane]

On 2018-10-18 07:07, mick crane wrote:
> On 2018-10-18 05:11, steve wrote:
>
>>
>> Still reading on this new thing for me.
>>
>> Thanks
>>
>> Steve
>
> I never came across this apparmor.
> did you try stopping it with systemctl then see if apache works as
> expected ?

Ah, OK I see you tried that.
Would that not indicate problem is not apparmor ?

[mick crane]

does "apachectl configtest" say OK ?

--
Key ID 4BFEBB31

[Reco]

Hi.

Skip it, of course - Unconfined.
That one's for libreoffice, and you need that dialog showing something for apache.

> Also, aa-status spits out
>
> apparmor module is loaded.
> 63 profiles are loaded.

...

> 3 processes are in complain mode.
> /usr/sbin/apache2 (11894)
> /usr/sbin/apache2 (12019)
> /usr/sbin/apache2 (12020)

...
>
> This is rather confusing.

Yet here you have a legitimate Apparmor profile for apache.

> What should I do with this?

Let's try it another way.

pkill -USR1 `pidof auditd`

aa-logprof /usr/sbin/apache2

> > Invoke 'aa-enforce /usr/sbin/apache2', and you're set.
>
> Profile for /usr/sbin/apache2 not found, skipping
>
> I guess this is normal since I didn't finish the aa-logprof step.

More or less. aa-status does not lie, your kernel has a profile for
apache.

Reco