Package: apparmor Version: 3.0.8-3 # dpkg -l "*apparmor*" Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=======================-============-====================-==================================================== ii apparmor 3.0.8-3 amd64 user-space parser utility for AppArmor ii apparmor-profiles 3.0.8-3 all experimental profiles for AppArmor security policies ii apparmor-utils 3.0.8-3 all utilities for controlling AppArmor ii libapache2-mod-apparmor 3.0.8-3 amd64 changehat AppArmor library as an Apache module ii libapparmor1:amd64 3.0.8-3 amd64 changehat AppArmor library ii python3-apparmor 3.0.8-3 all AppArmor Python3 utility library ii python3-libapparmor 3.0.8-3 amd64 AppArmor library Python3 bindings
I've configured Apparmor: enabled Apache and created a profile for the virtual host. I've copied the working configuration files from my previous systems (Debian 10 and Debian 11). The Apache2 profile (usr.sbin.apache2) is untouched (except I removed the complain flag, so it's in enforce mode). The profile contains only the paths what I want to allow for Apache's VHOST. When I send the HTTP request to Apache, I got this response: * Empty reply from server * Closing connection 0 curl: (52) Empty reply from server In this case I see the lines in syslog: 2023-09-03T17:51:48.864732+02:00 server kernel: [ 2028.475849] audit: type=1400 audit(1693756308.859:335): apparmor="DENIED" operation="file_perm" profile="apache2//myvhost.mydomain" pid=1851 comm="apache2" laddr=192.168.0.246 lport=80 faddr=192.168.100.140 fport=58896 family="inet" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive" 2023-09-03T17:51:48.864735+02:00 server kernel: [ 2028.475859] audit: type=1400 audit(1693756308.859:336): apparmor="DENIED" operation="file_perm" profile="apache2//myvhost.mydomain" pid=1851 comm="apache2" laddr=192.168.0.246 lport=80 faddr=192.168.100.140 fport=58896 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" # lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm # cat /etc/debian_version 12.1 Thanks, a.
