ahasenack | there is this package, python-bonsai, which has some extensive ldap dep8 tests | 13:03 |
---|---|---|
ahasenack | the setup it does has slapd logging to /var/log/slapd.log, and it did the famous chmod 777 /var/log for it to work | 13:03 |
ahasenack | of course I'm changing that, but in debian slapd is not confined via apparmor, in ubuntu it is | 13:03 |
ahasenack | so I'm doing this, and was wondering if you guys had another pattern for checking if a daemon is confined, and then taking some action: https://pastebin.ubuntu.com/p/Z4g8c36ZWM/ | 13:04 |
ahasenack | this has to work in debian as well (I want to keep this package a sync) | 13:04 |
ahasenack | that /etc/apparmor.d/local/* profile is created by dh_apparmor | 13:05 |
ahasenack | if it's not there, then this is unlikely ubuntu | 13:05 |
ahasenack | I have to precreate the log file because slapd runs as openldap:openldap, and can't create files in /var/log | 13:07 |
georgiag | ahasenack: aa-unconfined checks /proc/pid/attr/apparmor/current as you did, and it also falls back to /proc/pid/attr/current when apparmor/current does not exist which I think it's for the case when lsm stacking is not available in the kernel but I'm not 100% sure | 13:22 |
ahasenack | ah, nice | 13:23 |
* ahasenack checks aa-unconfined | 13:23 | |
ahasenack | that's from apparmor-utils, usually not installed by default though | 13:23 |
ahasenack | I could add a dep on it, just wondering if it would be too much for the debian maintainer | 13:24 |
georgiag | ahasenack: aa-unconfined lists processes using tcp/udp ports that are not confined, I'm not sure if it's what you're looking for | 13:26 |
ahasenack | I just want to check if slapd is confined, because if it is, then I need to amend the profile to let it write to /var/log/slapd.log | 13:29 |
ahasenack | I could assume that, if I'm on ubuntu, I should amend the profile always | 13:29 |
ahasenack | but then if debian eventually adopts the apparmor profile, the test would fail | 13:29 |
ahasenack | aa-unconfined looks cleaner though, I'll try that approach, see what the debian maintainer thinks | 13:30 |
=== jdstrand_ is now known as jdstrand | ||
ahasenack | hm, aa-unconfined isn't that great. I would have to grep its output, and it will only list apps that have open ports | 18:42 |
sarnold | ahasenack: there's a --paranoid switch which goes through all the pids in /proc | 18:49 |
sarnold | ahasenack: but yes, it's not that great; it started out to help us prepare for a CTF event and never quite got the attention it deserved :) | 18:49 |
sarnold | I suspect georgiag mentioned it more as something to steal from :D | 18:50 |
ahasenack | I was expecting it to be given a process name, or pid perhaps, and return 0 or 1 | 18:50 |
ahasenack | given its name | 18:50 |
sarnold | ah! | 18:51 |
georgiag | yeah, that was my intention sarnold :) | 19:02 |
sarnold | \o/ | 19:03 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!