-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[xenial] Update AppArmor rules to work on Trusty, Xenial #3962
Comments
Took a look at the WIP branch in 3962-apparmor-xenial. As @emkll reported in standup today, journalist replies are not properly decrypted. Documenting additional unhandled gpg-related AppArmor failures for follow-up:
Those should indeed be handled in the profile, but they're insufficient to explain the breakage. Switching the apache2 profile in AppArmor to "complain" mode and bouncing the service doesn't resolve, for example. One lead is that the redis worker appears to be failing, as evidenced by:
More research required. |
After setting all AppArmor profiles to complain, and even flushing the iptables rules, the no-journalist-response issue persisted. As such, it appears not to be directly related to AppArmor policies, so I propose we open another dedicated issue to track, and press forward with the minor fixes to the existing profiles outlined above. Also worth pointing out we have a few documented AppArmor profile tweaks in https://github.com/freedomofpress/securedrop/compare/test-xenial-upgrade-path , left over from #3491. Let's review those and include if warranted. |
Redis worker issue may be a red herring, given that I'm able to pull up the same error logs even on Trusty, when running staging VMs locally. Let's try moving forward with programmatically updated profiles (e.g. via |
Explicit rules are required for Apache
mpm
worker/event changes.gpg2
policy should permit links via/var/lib/securedrop/keys/* l
or similar.For simplicity, we should update AppArmor rules to work for both Trusty and Xenial, using a single template file for both distros.
Part of #3204.
The text was updated successfully, but these errors were encountered: