2014-12-10 12:18:35 |
Jacek Nykis |
bug |
|
|
added bug |
2014-12-10 12:18:55 |
Jacek Nykis |
bug |
|
|
added subscriber The Canonical Sysadmins |
2015-04-07 22:10:52 |
Steve Beattie |
apparmor (Ubuntu): status |
New |
Triaged |
|
2015-04-07 22:10:55 |
Steve Beattie |
apparmor (Ubuntu): importance |
Undecided |
Medium |
|
2015-04-25 06:55:01 |
Launchpad Janitor |
branch linked |
|
lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain-trusty |
|
2015-05-18 14:44:58 |
Steve Beattie |
attachment added |
|
php5-Zend_semaphore-lp1401084.patch https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1401084/+attachment/4399530/+files/php5-Zend_semaphore-lp1401084.patch |
|
2015-05-18 14:46:07 |
Steve Beattie |
description |
I am using apache mod_apparmor with a wordpress blog. In my rules I have:
#include <abstractions/php5>
But this did not allow all access that was needed:
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="wk" denied_mask="wk" fsuid=33 ouid=0
This access seems to be needed by opcache module, I found some info about it here:
https://lists.ubuntu.com/archives/apparmor/2014-June/005879.html
Ubuntu 14.04.1
apparmor 2.8.95~2430-0ubuntu5.1 |
[impact]
This bug prevents the proper functioning of apache mod_php with
mod_apparmor.
[steps to reproduce]
1) setuo apache and mod_php, verify php scripts are working
2) stop apache2
3) install mod_apparmor
4) restart apache2
5) with fix applied, apache should not generate rejections for /tmp/.ZendSem.*
for php scripts confined by mod_apparmor
[regression potential]
The change to the php abstraction in the patch for this bug is a
slight loosening of the apparmor policy. The risk of an introduced
regression is small.
[original description]
I am using apache mod_apparmor with a wordpress blog. In my rules I have:
#include <abstractions/php5>
But this did not allow all access that was needed:
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="k" denied_mask="k" fsuid=33 ouid=0
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/apache2//myvhost.example.com" name="/tmp/.ZendSem.Y5Ghmr" pid=21874 comm="apache2" requested_mask="wk" denied_mask="wk" fsuid=33 ouid=0
This access seems to be needed by opcache module, I found some info about it here:
https://lists.ubuntu.com/archives/apparmor/2014-June/005879.html
Ubuntu 14.04.1
apparmor 2.8.95~2430-0ubuntu5.1 |
|
2015-05-18 14:47:15 |
Steve Beattie |
nominated for series |
|
Ubuntu Trusty |
|
2015-05-18 14:51:10 |
Steve Beattie |
apparmor (Ubuntu): status |
Triaged |
Fix Released |
|
2015-05-24 17:34:18 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/apparmor |
|
2015-06-11 19:54:02 |
Steve Beattie |
tags |
|
verification-done |
|