touch-packages team mailing list archive

[Steve Beattie <sbeattie@xxxxxxxxxx>]

Here's a patch to fix this for trusty.

** Patch added: "php5-Zend_semaphore-lp1401084.patch"
   https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1401084/+attachment/4399530/+files/php5-Zend_semaphore-lp1401084.patch

** Description changed:

+ [impact]
+ 
+ This bug prevents the proper functioning of apache mod_php with
+ mod_apparmor.
+ 
+ [steps to reproduce]
+ 
+ 1) setuo apache and mod_php, verify php scripts are working
+ 2) stop apache2
+ 3) install mod_apparmor
+ 4) restart apache2
+ 5) with fix applied, apache should not generate rejections for /tmp/.ZendSem.*
+ for php scripts confined by mod_apparmor
+ 
+ [regression potential]
+ 
+ The change to the php abstraction in the patch for this bug is a
+ slight loosening of the apparmor policy. The risk of an introduced
+ regression is small.
+ 
+ [original description]
+ 
  I am using apache mod_apparmor with a wordpress blog. In my rules I have:
  #include <abstractions/php5>
  
  But this did not allow all access that was needed:
  apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0
  apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="wk" denied_mask="wk" fsuid=33 ouid=0
  
  This access seems to be needed by opcache module, I found some info about it here:
  https://lists.ubuntu.com/archives/apparmor/2014-June/005879.html
  
  Ubuntu 14.04.1
  apparmor 2.8.95~2430-0ubuntu5.1

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1401084

Title:
  Missing rules in php5 abstraction

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  [impact]

  This bug prevents the proper functioning of apache mod_php with
  mod_apparmor.

  [steps to reproduce]

  1) setuo apache and mod_php, verify php scripts are working
  2) stop apache2
  3) install mod_apparmor
  4) restart apache2
  5) with fix applied, apache should not generate rejections for /tmp/.ZendSem.*
  for php scripts confined by mod_apparmor

  [regression potential]

  The change to the php abstraction in the patch for this bug is a
  slight loosening of the apparmor policy. The risk of an introduced
  regression is small.

  [original description]

  I am using apache mod_apparmor with a wordpress blog. In my rules I have:
  #include <abstractions/php5>

  But this did not allow all access that was needed:
  apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0
  apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="wk" denied_mask="wk" fsuid=33 ouid=0

  This access seems to be needed by opcache module, I found some info about it here:
  https://lists.ubuntu.com/archives/apparmor/2014-June/005879.html

  Ubuntu 14.04.1
  apparmor 2.8.95~2430-0ubuntu5.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1401084/+subscriptions