Download | Devuan.org | Git | Bugs | Packages

The officially official Devuan Forum!

You are not logged in.

Pages: 1

#1 Re: Installation » Apparmor (support) is a complete joke » 2020-06-11 11:33:59

specing
Marjorie wrote:

I think you haven't understood that profiles are only activated ('defined') for running processes.

I have understood it perfectly. A running basic install typically has over 20 processes in addition to the kernel threads. The fact that only 3 of them are confined is worrying.

Why is LO in complain and not enforce?

#2 Re: Installation » Apparmor (support) is a complete joke » 2020-06-10 23:47:48

specing

That means only 3 processes are actually confined. That is not many.

I have to check what the situation is with Fedora/SELinux.

#3 Re: Installation » Apparmor (support) is a complete joke » 2020-06-10 22:32:32

specing
Marjorie wrote:

I never bothered with apparmor in Ascii but it 'works out of the box' in Beowulf (well almost I had to add a a line to/etc/apparmor/ usr.sbin.cupsd for /etc/dnscrypt-proxy/resolv.conf when I symlinked /etc/resolv.conf to it as then started to complain).

However I can confirm that in Beowulf /etc/rcS.d/S12apparmor does start before /etc/rcS.d/S13networking as one can can see by looking at /var/log/boot. I doubt if moving it any earlier (before file systems are mounted) would help.

Upgrading to beowulf will be the best, then. Are there any unconfined processes left?

#4 Re: Installation » Apparmor (support) is a complete joke » 2020-06-10 13:45:40

specing

I think this is due to networking being ahead of apparmor in the boot order:

TARGETS = mountkernfs.sh eudev keyboard-setup.sh mountdevsubfs.sh brltty bootlogd urandom mountall.sh mountall-bootclean.sh hwclock.sh mountnfs.sh mountnfs-bootclean.sh alsa-utils networking checkroot.sh hostname.sh procps checkfs.sh checkroot-bootclean.sh bootmisc.sh kmod espeakup screen-cleanup x11-common stop-bootlogd-single apparmor

How do I make apparmor start first? Apparently that init script is responsible for loading profiles into the kernel and must run before anything else.
I have tried moving S12apparmor symlink to S00apparmor in /etc/rcS.d/ to no avail.

#5 Re: Installation » Apparmor (support) is a complete joke » 2020-06-09 11:29:53

specing

I've now changed the profile definition line from

profile dhclient /{usr/,}sbin/dhclient

to

profile /sbin/dhclient

Which results in progress:

0 profiles are in complain mode.
2 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/nscd (1899) 
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /sbin/dhclient (880)

#6 Re: Installation » Apparmor (support) is a complete joke » 2020-06-09 11:21:11

specing
Altoid wrote:

Glad you managed to get it to work.

See?
Wasn't that hard.
Lack of designed maintainer and all.

Cheers,

A.

"work" is too strong of a word given the state of AppArmor on this test VM.

Every package I install, every README and man-page I read, every command I execute and ultimately, every post I add to this thread is a further nail to AppArmor-on-Devuan's coffin.

/usr/share/doc/apparmor-profiles/extras/README contains example commands of which: 2/7 do not exist, 4/7 use invocations of aa-enforce/aa-complain that are not documented in their man pages (but actually do something) and the remaining one is useless to me.

I have dhclient running, and there is a dhclient profile in /usr/share/doc/apparmor-profiles/extras/sbin.dhclient. So I followed instructions in the README by copying (which is bad from a maintenance perspective, not to mention that the profile should probably be part of the isc-whatever-dhclient package in the first place) that profile to /etc/apparmor.d. Then I ran 

aa-enforce /etc/apparmor.d/sbin.dhclient

which resulted in

Setting /etc/apparmor.d/sbin.dhclient to enforce mode.

Yay, right? Nope: aa-status now says:

44 profiles are in enforce mode.
   /usr/bin/irssi
   ...
   dhclient
   ..

Notice how dhclient has no /sbin in front of it? The heck?

After n+1th reboot, dhclient is still not confined.

This is also funny:

# aa-enforce /sbin/dhclient 
Setting /sbin/dhclient to enforce mode.

ERROR: /etc/apparmor.d/sbin.dhclient contains no profile

(Yes, I've checked:  /etc/apparmor.d/sbin.dhclient does define a profile)

#7 Re: Installation » Apparmor (support) is a complete joke » 2020-06-08 21:47:57

specing

I have both apparmor-utils and dh-apparmor.

What I just did was install NSCD and what do you know:

43 profiles are loaded.
43 profiles are in enforce mode.
...
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/nscd (3725) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

I also just did dpkg-reconfigure apparmor.

The "0 processes are unconfined but have a profile defined." line suggests that everything other than nscd does not have a profile at all. Which means I need to get more profiles somewhere.

And indeed, a short excursion into /etc/apparmor.d reveals that there aren't many profiles present.

#8 Re: Installation » Apparmor (support) is a complete joke » 2020-06-08 18:42:16

specing
Altoid wrote:

Hello:
I see.
Looking for apparmor bug reports I found this:

Devuan bug report logs: bugs in source package apparmor
There is no maintainer for apparmor. This means that this package no longer exists (or never existed). Please do not report new bugs against this package.

Looks like the topic title is on point, then D:

Altoid wrote:

Notwithstanding, apparmor would seem to be available as a package for Devuan ascii.

Much to my chagrin, this is as far as I can go with this as it is rather above my pay grade, so to speak and like I mentioned in my first post, I only once had an issue with apparmor showing up on my dmesg, which took me to learn that apparmor was disabled in Devuan ascii and that was it as I was not interested in enabling it.

There has to be a trace of this somewhere in your system logs.
eg: in my case, I get this output in /var/log/syslog:  (same in /var/log kern.log and /var/log/messages)

~$ cat /var/log/syslog | grep -i apparmor 
--- snip ---
[    0.010665] AppArmor: AppArmor disabled by boot time parameter
~$

Everything seems to be enabled, just not working:

Jun  7 22:54:14 devuan kernel: [    0.000000] Kernel command line: BOOT_IMAGE=/devuan/root.subvol/boot/vmlinuz-4.9.0-6-amd64 root=UUID=d7e92d18-e57a-4d4a-9f7e-e9301fa4c16e ro rootflags=subvol=devuan/root.subvol quiet apparmor=1 security=apparmor
Jun  7 22:54:14 devuan kernel: [    0.008000] AppArmor: AppArmor initialized
Jun  7 22:54:14 devuan kernel: [    0.213838] AppArmor: AppArmor Filesystem Enabled
Jun  7 22:54:14 devuan kernel: [    0.404639] AppArmor: AppArmor sha1 policy hashing enabled
Jun  7 22:54:14 devuan kernel: [   11.708360] audit: type=1400 audit(1591563247.192:2): apparmor="STATUS" operation="profile_load" name="ping" pid=1544 comm="apparmor_parser"
Altoid wrote:

There is also the remote possibility of a missing dependency.

~# apt-get install -f --dry-run

Check to see what it says and post back.
I'm sure someone knows much more than me about this.

Cheers,

A.

Everything seems fine:

apt-get install -f --dry-run
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  dwz
Use 'apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded

I think the problem is how to associate programs with AppArmor profiles. I've installed both apparmor-profiles and apparmor-profiles-extra, and then aa-enforce'd /etc/apparmor.d/*, but that has not produced even one confined process (after reboot, ofcourse... total joke).

#9 Re: Installation » Apparmor (support) is a complete joke » 2020-06-08 12:24:14

specing
Altoid wrote:

Hello:
...There should be a line like this one:
...

There is, and:

cat /proc/cmdline
BOOT_IMAGE=/devuan/root.subvol/boot/vmlinuz-4.9.0-6-amd64 root=UUID=d7e92d18-e57a-4d4a-9f7e-e9301fa4c16e ro rootflags=subvol=devuan/root.subvol quiet apparmor=1 security=apparmor

#10 Re: Installation » Apparmor (support) is a complete joke » 2020-06-08 01:42:35

specing
Altoid wrote:

Hmmm ...
How about taking two or three cups of chamomile tea?  8^7

I've downed an entire barrel of it already!

Altoid wrote:
$~ man apparmor

Or this.

I have read through both of that, top to bottom and skipping the Ubuntu section.

Altoid wrote:

Particularly the part that says this:  (because ASCII = Stretch < Buster)

Enable AppArmor
If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.   <- if you are running Devuan ASCII, you don't get to skip it.

The AppArmor Linux Security Modules (LSM) must be enabled from the linux kernel command line in the bootloader:

$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub
$ sudo reboot

That was what the first reboot was for in my original post.

#11 Installation » Apparmor (support) is a complete joke » 2020-06-07 22:57:22

specing
Replies: 22

I am furious, FURIOUS!

Following https://wiki.debian.org/AppArmor/HowToUse, I am unable to setup Apparmor in Devuan Ascii:

First, I had to(!) reboot to boot with apparmor=1 security=apparmor (apparently not possible otherwise).

Second, I had to(!) reboot for a second time after manually(!) setting every single thing to enforce(a-enforce /etc/apparmor.d/*),
because confinement apparently cannot be applied to running processes.

And after all this, # aa-unconfined still reports that everything is unconfined.

How does one setup Apparmor on Devuan Ascii?

#12 Re: Installation » How to install Devuan in BTRFS partition with subvolumes @ and @home ? » 2020-05-10 10:45:49

specing
waynedpj wrote:

...

Cool. My instructions were for making an entirely new install, I have not yet concerned myself with multiple distros on same btrfs (outside LXC).

If the installer does not let you proceed without creating anything on disk, then my first reaction would be to give it a USB stick or another disk (easy with qemu) to play on. Then change /target before starting installation.

#13 Re: Documentation » HOWTO: package caching with nginx » 2019-02-20 20:59:50

specing

I have updated the config, my initial one missed deb.debian.org (see amprolla rewrites).

#14 Re: Documentation » HOWTO: package caching with nginx » 2019-02-19 16:52:24

specing

Everything hitting mirror.local/devuan goes to the reverse proxied server (in this case ftp.fau.de), including /devuan/merged.

#15 Re: Installation » How to install Devuan in BTRFS partition with subvolumes @ and @home ? » 2019-02-19 03:10:42

specing

I don't like the @ naming convention for subvolumes as the @ has to be escaped in shell. Instead I give these directories the .subvol extension.

Choose expert install, proceed up to and including partitioning. Finish partitioning normally, choosing luks,lvm,btrfs or whatever. Then:
- go to another terminal (alt+f2)
- find the btrfs filesystem device in output of # mount   (in my case it is at /dev/vg_devuan/main)
- # mkdir /tmp/target
- # cp -ar /target/* /tmp/target
- # umount /target
- (Add --mixed if device is under 5 GB or so) # mkfs.btrfs -f /dev/vg_devuan/main
- # mkdir /rv
- # mount -o noatime,compress=lzo,nossd,autodefrag,space_cache=v2 /dev/vg_devuan/main /rv
- # btrfs subvol create /rv/devuan/root.subvol
- # mount -o noatime,compress=lzo,nossd,autodefrag,subvol=/devuan/root.subvol /dev/path/to/btrfs/device /target
- # cp -ar /tmp/target/* /target
- (optional, if you are low on RAM) # rm -r /tmp/target

Now go back to the installer and proceed at the "Install base system" step.

Disregard the above, it results in the "Install base system" hitting
"Error: apt or in-target already running" and I do not know how to resolve it.
So, just complete the install normally, without compression or subvolumes,
we'll deal with that later.
 This is does not happen any more.

Complete the install and reboot. When it reboots, login as root only and do the following:
- # mkdir /rv
Edit /etc/fstab, and change it to resemble the following (Note: the nossd flag is there because the ssd allocator has some issues on kernels <4.15 or some such):

 /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system>            <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/vg_devuan-main /               btrfs   defaults,nossd,compress=lzo,noatime,subvol=/devuan/root.subvol 0 0
/dev/mapper/vg_devuan-main /home           btrfs   defaults,nossd,compress=lzo,noatime,subvol=/devuan/home.subvol 0 0
/dev/mapper/vg_devuan-main /rv             btrfs   defaults,nossd,compress=lzo,noatime,subvolid=5                 0 0

tmpfs                      /tmp            tmpfs   defaults                                                       0 0

/dev/sr0                   /media/cdrom0   udf,iso9660 user,noauto                                                0 0

The /tmp line is optional.

- # mount /rv
- # btrfs subvol create /rv/devuan/home.subvol
- # cp -ar --reflink=always /rv/devuan/root.subvol/home/* /rv/devuan/home.subvol
Remember the --reflink=always parameter, it makes cp do a shallow copy on btrfs (same files underneath, copy on change). You might want to put that into bashrc as an alias: alias cpref="cp --reflink=always.
- # rm -r /home/*
- # mount /home

Reboot for the new mount flags to take to effect. Now it should work as intended and the output of # mount  should reflect that.

EDIT 2020.05.10: Changed 16GB->5GB to be in line with btrfs recommendations. Added space_cache=v2. Changed rootfs.subvol to just root.subvol
Note: if you get stuck on the first boot, ctrl-c will unstuck it and land you at login. If you further cannot remount / rw, then also specify the device on the command line. Seems to happen if no lvm/luks is used, as the above reformat step will change UUID.

I will amend this post with further fixes, should any problems arise.

#16 Documentation » HOWTO: package caching with nginx » 2019-02-13 20:53:54

specing
Replies: 3

Put this config inside the http section and modify it as you see fit. I recommend changing back-end mirrors (ftp.fau.de and debian.ethz.ch), cache size (max_size) and cache paths (/data/nginx/*).

#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_cache_path /data/nginx/devuan levels=2 keys_zone=devuan-cache:4m max_size=10000m inactive=1y loader_files=1000 loader_threshold=10000;
proxy_cache_path /data/nginx/debian levels=2 keys_zone=debian-cache:4m max_size=10000m inactive=1y loader_files=1000 loader_threshold=10000;
proxy_cache_path /data/nginx/debian-security levels=2 keys_zone=debian-security-cache:4m max_size=10000m inactive=1y loader_files=1000 loader_threshold=10000;
# caching options
proxy_temp_path  /data/nginx/disttmp;

# TODO: proxy_ssl_verify!
server {
	listen 80;
	server_name proxy.local;

	access_log /var/log/nginx/proxy_mirror.access_log main;
	error_log  /tmp/proxy_mirror.error_log debug;

	access_log on;
	error_log on;

	location /devuan {
		proxy_pass https://ftp.fau.de/devuan;
		proxy_set_header Host ftp.fau.de;
		proxy_redirect default;
		proxy_redirect https://ftp.fau.de /;
		# see https://git.devuan.org/devuan-infrastructure/amprolla3/blob/master/contrib/nginx.conf#L12
		proxy_redirect http://auto.mirror.devuan.org/ /;
		proxy_redirect https://auto.mirror.devuan.org/ /;
		proxy_redirect http://deb.debian.org /;
		proxy_redirect https://deb.debian.org /;

		proxy_cache devuan-cache;
		# for items with response codes 200 (Success:OK) and 302 (Redirection:Found)
		proxy_cache_valid 200 302 3y;
		# for 404 (ClientError:Not Found)
		proxy_cache_valid 404 1m;

		proxy_cache_revalidate on;
	}

	location /debian {
		proxy_pass https://debian.ethz.ch/debian;
		proxy_set_header Host debian.ethz.ch;
		proxy_redirect default;
		proxy_redirect https://debian.ethz.ch /;

		proxy_cache debian-cache;
		# for items with response codes 200 (Success:OK) and 302 (Redirection:Found)
		proxy_cache_valid 200 302 3y;
		# for 404 (ClientError:Not Found)
		proxy_cache_valid 404 1m;

		proxy_cache_revalidate on;
	}

	location /debian-security {
		proxy_pass https://debian.ethz.ch/debian-security;
		proxy_set_header Host debian.ethz.ch;
		proxy_redirect default;
		proxy_redirect https://debian.ethz.ch /;

		proxy_cache debian-security-cache;
		# for items with response codes 200 (Success:OK) and 302 (Redirection:Found)
		proxy_cache_valid 200 302 3y;
		# for 404 (ClientError:Not Found)
		proxy_cache_valid 404 1m;

		proxy_cache_revalidate on;
	}
}

In "Configure the package manager":
  - select "enter information manually" on the archive mirror country
  - use proxy.local as hostname
  - use /devuan/merged as path
  - if installer says that the specified mirror does not support your architecture, then that probably means that the proxy server cannot reach the real server (in the case of long timeout) or that it is forwarding a different directory (short timeout)

Pages: 1

Board footer

Forum Software