Web lists-archives.com

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied




Le 17-10-2018, à 09:52:06 +0300, Reco a écrit :

> And, finally, /var/log/audit/audit.log if you have auditd installed
> (hint - install it if you don't).

grep apache /var/log/audit/audit.log

type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:76): arch=c000003e syscall=2 success=no exit=-13 a0=7fe220cac22a a1=80000 a2=1b6 a3=80000 items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/apache2/apache2.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:77): arch=c000003e syscall=2 success=no exit=-13 a0=7fe2219b6f70 a1=80000 a2=1b6 a3=ffffffffffffff7f items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=apache2 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

Seems fine to me.

On the contrary. These show that apache2 binary was denied from reading
/etc/gai.conf *and* /etc/apache2/apache2.conf by some Mandatory Access
Control (audit record type AVC).
Since you're using Debian, I suspect AppArmor.

First things first, Apparmor (and any kind of MAC) is a good thing,
especially in your typical server environment. They'll suggest you to
disable it - don't. Lowering overall security of your OS is not worth
it.

Second, Debian does not provide apparmor profiles for apache. Whatever
profile is active in your installation is a result of local
misconfiguration.

Third, it's fixable. Install apparmor-utils.
Invoke 'aa-complain /usr/sbin/apache2'.
Start your apache2 service, stop it and start again.
Make some GET/PUT requests to it.
Invoke 'aa-logprof' and generate Apparmor profile that's uniquely suited
for your environment.

Here, I get

Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Target profile exists: /etc/apparmor.d/usr.bin.nvidia-modprobe

Profile:  libreoffice-soffice
Execute:  /usr/bin/nvidia-modprobe
Severity: unknown

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish


What should I be expected to do?

Also, aa-status spits out

apparmor module is loaded.
63 profiles are loaded.
22 profiles are in enforce mode.
  /usr/lib/cups/backend/cups-pdf
  /usr/lib/telepathy/mission-control-5
  /usr/lib/telepathy/telepathy-*
  /usr/lib/telepathy/telepathy-*//pxgsettings
  /usr/lib/telepathy/telepathy-*//sanitized_helper
  /usr/lib/telepathy/telepathy-ofono
  /usr/sbin/cups-browsed
  /usr/sbin/cupsd
  /usr/sbin/cupsd//third_party
  /usr/sbin/libvirtd
  /usr/sbin/libvirtd//qemu_bridge_helper
  /usr/sbin/mysqld-akonadi
  /usr/sbin/mysqld-akonadi///usr/sbin/mysqld
  libreoffice-senddoc
  libreoffice-soffice//gpg
  libreoffice-xpdfimport
  thunderbird
  thunderbird//browser_java
  thunderbird//browser_openjdk
  thunderbird//gpg
  thunderbird//sanitized_helper
  virt-aa-helper
41 profiles are in complain mode.
  /usr/bin/nvidia-modprobe
  /usr/lib/dovecot/anvil
  /usr/lib/dovecot/auth
  /usr/lib/dovecot/config
  /usr/lib/dovecot/deliver
  /usr/lib/dovecot/dict
  /usr/lib/dovecot/dovecot-auth
  /usr/lib/dovecot/dovecot-lda
  /usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail
  /usr/lib/dovecot/imap
  /usr/lib/dovecot/imap-login
  /usr/lib/dovecot/lmtp
  /usr/lib/dovecot/log
  /usr/lib/dovecot/managesieve
  /usr/lib/dovecot/managesieve-login
  /usr/lib/dovecot/pop3
  /usr/lib/dovecot/pop3-login
  /usr/lib/dovecot/ssl-params
  /usr/sbin/apache2
  /usr/sbin/apache2//DEFAULT_URI
  /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
  /usr/sbin/avahi-daemon
  /usr/sbin/dnsmasq
  /usr/sbin/dnsmasq//libvirt_leaseshelper
  /usr/sbin/dovecot
  /usr/sbin/identd
  /usr/sbin/mdnsd
  /usr/sbin/nmbd
  /usr/sbin/nscd
  /usr/sbin/smbd
  /usr/sbin/smbldap-useradd
  /usr/sbin/smbldap-useradd///etc/init.d/nscd
  /usr/{sbin/traceroute,bin/traceroute.db}
  klogd
  libreoffice-oopslash
  libreoffice-soffice
libreoffice-soffice//null-/usr/bin/nvidia-modprobe
  libreoffice-soffice//null-/usr/bin/nvidia-modprobe//null-/bin/kmod
  ping
  syslog-ng
  syslogd
15 processes have profiles defined.
3 processes are in enforce mode.
  /usr/sbin/cups-browsed (25039)
  /usr/sbin/cupsd (25038)
  thunderbird (12250)
3 processes are in complain mode.
  /usr/sbin/apache2 (11894)
  /usr/sbin/apache2 (12019)
  /usr/sbin/apache2 (12020)
9 processes are unconfined but have a profile defined.
  /usr/sbin/avahi-daemon (1196)
  /usr/sbin/avahi-daemon (1278)
  /usr/sbin/dnsmasq (1444)
  /usr/sbin/nmbd (2436)
  /usr/sbin/smbd (2457)
  /usr/sbin/smbd (2458)
  /usr/sbin/smbd (2459)
  /usr/sbin/smbd (2479)
  /usr/sbin/smbd (32743)


This is rather confusing.


What should I do with this?




Invoke 'aa-enforce /usr/sbin/apache2', and you're set.


Profile for /usr/sbin/apache2 not found, skipping

I guess this is normal since I didn't finish the aa-logprof step.



Still reading on this new thing for me.

Thanks

Steve