Bug#1110149: marked as done (ejabberd breaks apparmor after upgrade (bookworm -> trixie))

Sat, 27 Dec 2025 14:51:19 -0800 

Your message dated Sat, 27 Dec 2025 22:49:21 +0000
with message-id <[email protected]>
and subject line Bug#1110149: fixed in ejabberd 24.12-4
has caused the Debian Bug report #1110149,
regarding ejabberd breaks apparmor after upgrade (bookworm -> trixie)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1110149: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110149
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: ejabberd
Version: 24.12-3
Severity: important

Dear Maintainer,

After upgrading ejabberd on a host with apparmor installed, apparmor
failed to load:

> Jul 30 12:24:02 nyarlathotep apparmor.systemd[179961]: profile has merged 
> rule with conflicting x modifiers
> Jul 30 12:24:02 nyarlathotep apparmor.systemd[179961]: ERROR processing 
> regexs for profile su, failed to load
> Jul 30 12:24:02 nyarlathotep apparmor.systemd[179860]: Error: At least one 
> profile failed to load
> Jul 30 12:24:02 nyarlathotep systemd[1]: apparmor.service: Main process 
> exited, code=exited, status=1/FAILURE
> Jul 30 12:24:02 nyarlathotep systemd[1]: apparmor.service: Failed with result 
> 'exit-code'.
> Jul 30 12:24:02 nyarlathotep systemd[1]: Failed to start apparmor.service - 
> Load AppArmor profiles.

Given the error messages mentions "profile su", the following search
shows ejabberd as being the only relevant package:

>> find /etc/apparmor.d -type f -exec grep -H '\bsu\b' {} \;

> /etc/apparmor.d/usr.sbin.ejabberdctl:   profile su 
> flags=(attach_disconnected) {
> /etc/apparmor.d/usr.sbin.ejabberdctl:           /{,usr/}bin/su                
>           rm,
> /etc/apparmor.d/usr.sbin.ejabberdctl:   /usr/lib/erlang/p1_pam/bin/epam       
>           px -> /usr/sbin/ejabberdctl//su,

Through trial and error (and a very rudimentary understanding of
apparmor), I butchered /etc/apparmor.d/usr.sbin.ejabberdctl, verified
restarting apparmor was now successful, then restored bits of the file,
repeating the restarts until I could isolate a single line which was
causing apparmor to fail to load:

>                /{,usr/}sbin/unix_chkpwd                rmix,

After this change, I restarted ejabberd, verifying the server is still
functional.

For the record:

>> dpkg-query -l apparmor\*

> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name                    Version      Architecture Description
> +++-=======================-============-============-======================================
> ii  apparmor                4.1.0-1      amd64        user-space parser 
> utility for AppArmor
> un  apparmor-easyprof       <none>       <none>       (no description 
> available)
> un  apparmor-profiles-extra <none>       <none>       (no description 
> available)
> ii  apparmor-utils          4.1.0-1      all          utilities for 
> controlling AppArmor


-- System Information:
Debian Release: 13.0
  APT prefers testing-security
  APT policy: (700, 'testing-security'), (700, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.38+deb13-cloud-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ejabberd depends on:
ii  adduser                     3.152
ii  debconf [debconf-2.0]       1.5.91
ii  erlang-asn1                 1:27.3.4.1+dfsg-1
ii  erlang-base [erlang-abi]    1:27.3.4.1+dfsg-1
ii  erlang-base64url            1.0.1-8+b1
ii  erlang-crypto               1:27.3.4.1+dfsg-1
ii  erlang-goldrush             0.2.0-9+b1
ii  erlang-idna                 6.1.1-5+b1
ii  erlang-inets                1:27.3.4.1+dfsg-1
ii  erlang-jiffy                1.1.2-1+b1
ii  erlang-jose                 1.11.10-1+b1
ii  erlang-lager                3.9.2-3+b1
ii  erlang-mnesia               1:27.3.4.1+dfsg-1
ii  erlang-odbc                 1:27.3.4.1+dfsg-1
ii  erlang-os-mon               1:27.3.4.1+dfsg-1
ii  erlang-p1-acme              1.0.25-1
ii  erlang-p1-cache-tab         1.0.31-2
ii  erlang-p1-eimp              1.0.23-4
ii  erlang-p1-mqtree            1.0.17-2
ii  erlang-p1-pkix              1.0.10-2
ii  erlang-p1-stringprep        1.0.30-2
ii  erlang-p1-stun              1.2.15-1
ii  erlang-p1-tls               1.1.22-1
ii  erlang-p1-utils             1.0.26-2
ii  erlang-p1-xml               1.1.55-1
ii  erlang-p1-xmpp              1.9.4-1
ii  erlang-p1-yaml              1.0.37-2
ii  erlang-p1-yconf             1.0.17-1
ii  erlang-p1-zlib              1.0.13-2
ii  erlang-public-key           1:27.3.4.1+dfsg-1
ii  erlang-ssl                  1:27.3.4.1+dfsg-1
ii  erlang-syntax-tools         1:27.3.4.1+dfsg-1
ii  erlang-unicode-util-compat  0.7.0-5+b1
ii  erlang-xmerl                1:27.3.4.1+dfsg-1
ii  init-system-helpers         1.68
ii  openssl                     3.5.1-1
ii  ucf                         3.0052

ejabberd recommends no packages.

Versions of packages ejabberd suggests:
ii  ejabberd-contrib                 0.2025.01.11~dfsg0-2
ii  erlang-luerl                     1:1.2.3-1+b1
ii  erlang-p1-mysql                  1.0.25-1
ii  erlang-p1-oauth2                 0.6.14-2
ii  erlang-p1-pam                    1.0.14-3
ii  erlang-p1-pgsql                  1.1.31-1
ii  erlang-p1-sip                    1.0.56-1
ii  erlang-p1-sqlite3                1.1.15-2
ii  erlang-redis-client              1.2.0-8
ii  imagemagick                      8:7.1.1.43+dfsg1-1
ii  imagemagick-7.q16 [imagemagick]  8:7.1.1.43+dfsg1-1
ii  libunix-syslog-perl              1.1-4+b4
ii  yamllint                         1.37.1-1

-- Configuration Files:
/etc/apparmor.d/usr.sbin.ejabberdctl changed:
/usr/sbin/ejabberdctl {
        #include <abstractions/base>
        #include <abstractions/consoles>
        #include <abstractions/nameservice>
        capability net_bind_service,
        capability dac_override,
        capability dac_read_search, # for sed
        /{,usr/}bin/bash                                rmix,
        /{,usr/}bin/cat                                 ix,
        /{,usr/}bin/dash                                rmix,
        /{,usr/}bin/date                                ix,
        /{,usr/}bin/df                                  ix,
        /{,usr/}bin/{,p}grep                    ix,
        /{,usr/}bin/ps                                  ix,
        /{,usr/}bin/sed                                 ix,
        /{,usr/}bin/sleep                               ix,
        /{,usr/}bin/su                                  px -> 
/usr/sbin/ejabberdctl//su,
        profile su flags=(attach_disconnected) {
                #include <abstractions/authentication>
                #include <abstractions/base>
                #include <abstractions/nameservice>
                #include <abstractions/wutmp>
                deny capability net_admin, # setsockopt() with SO_RCVBUFFORCE
                capability audit_write,
                capability setgid,
                capability setuid,
                capability sys_resource,
                capability dac_override,
                capability dac_read_search,
                @{PROC}/@{pid}/loginuid                 r,
                @{PROC}/1/limits                        r,
                /{,usr/}bin/bash                        px -> 
/usr/sbin/ejabberdctl,
                /{,usr/}bin/dash                        px -> 
/usr/sbin/ejabberdctl,
                /{,usr/}bin/su                          rm,
                #/{,usr/}sbin/unix_chkpwd               rmix,
                /run/systemd/journal/dev-log            w,
                /etc/environment                        r,
                /etc/default/locale                     r,
                /etc/security/limits.d**                r,
                /lib/@{multiarch}/libpam.so*            rm,
                /usr/lib/erlang/p1_pam/bin/epam         rm,
        }
        /etc/default/ejabberd                           r,
        /etc/ejabberd**                                 r,
        /etc/ImageMagick**                              r,
        /run/ejabberd**                                 rw,
        /sys/devices/system/cpu**                       r,
        /sys/devices/system/node**                      r,
        /proc/sys/kernel/osrelease                      r, # for pgrep
        /proc/sys/kernel/random/uuid            r,
        @{PROC}/                                                        r, # 
for pgrep
        owner @{PROC}/@{pid}/mountinfo          r, # for df
        owner @{PROC}/@{pid}/mounts                     r, # for df
        /usr/bin/cut                                    ix,
        /usr/bin/erl                                    ix,
        /usr/bin/expr                                   ix,
        /usr/bin/flock                                  ix,
        /usr/bin/getent                                 ix,
        /usr/bin/id                                     ix,
        /usr/bin/inotifywait                    ix,
        /usr/bin/seq                                    ix,
        /usr/bin/uuidgen                                ix,
        /usr/lib/erlang/bin/erl                         ix,
        /usr/lib/erlang/erts-*/bin/beam*                ix,
        /usr/lib/erlang/erts-*/bin/child_setup          ix,
        /usr/lib/erlang/erts-*/bin/epmd                 ix,
        /usr/lib/erlang/erts-*/bin/erl_child_setup      ix,
        /usr/lib/erlang/erts-*/bin/erlexec              ix,
        /usr/lib/erlang/erts-*/bin/inet_gethost         ix,
        /usr/lib/erlang/lib/**.so                       rm,
        /usr/lib/erlang/lib/os_mon*/priv/bin/memsup ix,
        /usr/lib/erlang/lib/p1_eimp*/priv/bin/eimp  ix,
        /usr/lib/erlang/p1_pam/bin/epam                 px -> 
/usr/sbin/ejabberdctl//su,
        /usr/lib/@{multiarch}/ImageMagick-*/**          ix,
        /usr/sbin/ejabberdctl                           r,
        /usr/share/ejabberd**                           r,
        /usr/share/ImageMagick-*/**                     rix,
        /var/backups/                                   rw,
        /var/backups/ejabberd**                         rwlk,
        /var/lib/ejabberd**                             rw,
        /var/log/ejabberd/*                             rwlk,
        /var/run/ejabberd**                             rw,
        # Site-specific additions and overrides. See local/README for details.
        #include <local/usr.sbin.ejabberdctl>
}

/etc/default/ejabberd changed:
ERL_OPTIONS="-env ERL_CRASH_DUMP_BYTES 0"
ERLANG_NODE=ejabberd@nyarlathotep
EJABBERD_PID_PATH=/run/ejabberd/ejabberd.pid
EJABBERD_CONFIG_PATH=/etc/ejabberd/ejabberd.yml
CONTRIB_MODULES_CONF_DIR=/etc/ejabberd/modules.d

/etc/ejabberd/inetrc [Errno 13] Permission denied: '/etc/ejabberd/inetrc'
/etc/ejabberd/modules.d/README.modules [Errno 13] Permission denied: 
'/etc/ejabberd/modules.d/README.modules'

-- debconf information excluded

-- 
Gerald Turner <[email protected]>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: ejabberd
Source-Version: 24.12-4
Done: Philipp Huebner <[email protected]>

We believe that the bug you reported is fixed in the latest version of
ejabberd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Philipp Huebner <[email protected]> (supplier of updated ejabberd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Dec 2025 23:20:22 +0100
Source: ejabberd
Architecture: source
Version: 24.12-4
Distribution: unstable
Urgency: medium
Maintainer: Ejabberd Packaging Team <[email protected]>
Changed-By: Philipp Huebner <[email protected]>
Closes: 1110149
Changes:
 ejabberd (24.12-4) unstable; urgency=medium
 .
   * Correctly remove no longer shipped conffile (apparmor profile)
     (Closes: #1110149)
Checksums-Sha1:
 a7d4bca690b50965dc64e38e4fb1942c87c9c759 3022 ejabberd_24.12-4.dsc
 c826ea4412bed68c49b738134868e96f6e534e2b 72516 ejabberd_24.12-4.debian.tar.xz
 4373610de14f0331e1b27668d9318f932f302c09 15581 ejabberd_24.12-4_amd64.buildinfo
Checksums-Sha256:
 7d0ace12a936e872e0a6f76018604ea4389134949c8e2a9f940db0c0629c1965 3022 
ejabberd_24.12-4.dsc
 5b051964b03b89754fa3fd6950f2beb68986d5e1a58c183fe863d5899eb0e2ea 72516 
ejabberd_24.12-4.debian.tar.xz
 d9c6fd01c484c4177211a397dedc84d38ddbff567b4b5257b9d54c38087cb5bd 15581 
ejabberd_24.12-4_amd64.buildinfo
Files:
 2c444fac1dd135e8292c8082eb50066a 3022 net optional ejabberd_24.12-4.dsc
 8431a14490c68ac14b825e638a56eafe 72516 net optional 
ejabberd_24.12-4.debian.tar.xz
 29e0c06c1fb7a6e6eda41200c7e5cb5a 15581 net optional 
ejabberd_24.12-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEECEGLvkRyDy26xQXsunokltrkDRwFAmlQYH4VHGRlYmFsYW5j
ZUBkZWJpYW4ub3JnAAoJELp6JJba5A0ch6QQAKbpcsKH3nNLrF0BZ/IA14JtZlBP
CJML+VXbuF2ODf534UlX1kDeZMxeYmQC1faa65ELU0Ojf2PYxvzmqKvrYnbbpkf7
oG9uZY7dL9mjngovlp/gK0xDet2tPaHePbM0GpTK8mdFWFb2uCikbrZa0wExpiyR
QhWm6q1y8aOAyg0g03hHE0ngIa9uXltEzS2lvLKu6hDPaefqs3OZSim7gZ/X2IjA
fKJCogSn1G+jgan3GJBK0JmrBrSakIgoAZwN4AsTMI0PAyRPQmIUJxk4h+v4zD4A
ZJCBG6G0APFogl0xYALSGIIK/b2LpGFOlxwByBusuBbknuFH7xGUAOTPeTIh9zga
cwMM7FCXqi8BsXSd9n/haGtvvImOA3MIXYG8JXS0GIeTMrtgmdsk/aNiZLwdzvhs
7Sm2jS/HlxsCGjUOCrZFSwy940SBM2aTX8CVHHS8oKpsIFp1KHYZREmc53kWA7eb
TPBVIX+tP/r6LFDi7Xs7flZXbQb1FCIyUAfObLkhkyl1ILdEqcWv+2LnRD9aQQZw
cSItZZYt2Hhas/9KXe9roEWRZp1UMU6Rv5ExvPfbnT3tw3qO/x3jzvMiAUy3RZ7K
Esz9YM9zzh/xkiQw8lY3/LdOawvFb9abeseEDZfBrchJ2H21lc9ng97aN+6wh8Ac
8eoadcBWdCCbpfmE
=sp+M
-----END PGP SIGNATURE-----

Attachment: pgpc6pvz28Psh.pgp
Description: PGP signature


--- End Message ---

Reply via email to