Web lists-archives.com

Re: apache2: Could not open configuration file /etc/apache2/apache2.conf: Permission denied




	Hi.

On Thu, Oct 18, 2018 at 06:11:13AM +0200, steve wrote:
> Le 17-10-2018, à 09:52:06 +0300, Reco a écrit :
> 
> > > > And, finally, /var/log/audit/audit.log if you have auditd installed
> > > > (hint - install it if you don't).
> > > 
> > > grep apache /var/log/audit/audit.log
> > > 
> > > type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > > type=SYSCALL msg=audit(1539750555.347:76): arch=c000003e syscall=2 success=no exit=-13 a0=7fe220cac22a a1=80000 a2=1b6 a3=80000 items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
> > > type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/apache2/apache2.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > > type=SYSCALL msg=audit(1539750555.347:77): arch=c000003e syscall=2 success=no exit=-13 a0=7fe2219b6f70 a1=80000 a2=1b6 a3=ffffffffffffff7f items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
> > > type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=apache2 comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
> > > 
> > > Seems fine to me.
> > 
> > On the contrary. These show that apache2 binary was denied from reading
> > /etc/gai.conf *and* /etc/apache2/apache2.conf by some Mandatory Access
> > Control (audit record type AVC).
> > Since you're using Debian, I suspect AppArmor.
> > 
> > First things first, Apparmor (and any kind of MAC) is a good thing,
> > especially in your typical server environment. They'll suggest you to
> > disable it - don't. Lowering overall security of your OS is not worth
> > it.
> > 
> > Second, Debian does not provide apparmor profiles for apache. Whatever
> > profile is active in your installation is a result of local
> > misconfiguration.
> > 
> > Third, it's fixable. Install apparmor-utils.
> > Invoke 'aa-complain /usr/sbin/apache2'.
> > Start your apache2 service, stop it and start again.
> > Make some GET/PUT requests to it.
> > Invoke 'aa-logprof' and generate Apparmor profile that's uniquely suited
> > for your environment.
> 
> Here, I get
> 
> Reading log entries from /var/log/audit/audit.log.
> Updating AppArmor profiles in /etc/apparmor.d.
> Target profile exists: /etc/apparmor.d/usr.bin.nvidia-modprobe
> 
> Profile:  libreoffice-soffice
> Execute:  /usr/bin/nvidia-modprobe
> Severity: unknown
> 
> (I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
>
> What should I be expected to do?

Skip it, of course - Unconfined.
That one's for libreoffice, and you need that dialog showing something for apache.


> Also, aa-status spits out
> 
> apparmor module is loaded.
> 63 profiles are loaded.
...
> 3 processes are in complain mode.
>   /usr/sbin/apache2 (11894)
>   /usr/sbin/apache2 (12019)
>   /usr/sbin/apache2 (12020)
...
> 
> This is rather confusing.

Yet here you have a legitimate Apparmor profile for apache.

> What should I do with this?

Let's try it another way.

pkill -USR1 `pidof auditd`

aa-logprof /usr/sbin/apache2


> > Invoke 'aa-enforce /usr/sbin/apache2', and you're set.
> 
> Profile for /usr/sbin/apache2 not found, skipping
> 
> I guess this is normal since I didn't finish the aa-logprof step.

More or less. aa-status does not lie, your kernel has a profile for
apache.

Reco