[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

I need help to get my AppArmor profile of DNSCRYPT-PROXY to run

Hi!

DNSCRYPT-PROXY don’t start with my activated AppArmor profile in ENFORCE-MODE of it.

Error-message:

audit: type=1400 audit(1559114474.039:76): apparmor=“DENIED” operation=“exec” profile="/etc/dnscrypt-proxy/dnscrypt-proxy" name="/etc/dnscrypt-proxy/dnscrypt-proxy" pid=4033 comm=“dnscrypt-proxy” requested_mask=“x” denied_mask=“x” fsuid=111 ouid=2000

[FATAL] Unable to reexecute [/etc/dnscrypt-proxy/dnscrypt-proxy]: [permission denied]

Check this:

#include <tunables/global>

/etc/dnscrypt-proxy/dnscrypt-proxy flags=(attach_disconnected) {

  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability chown,
  capability dac_override,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_resource,

  /etc/dnscrypt-proxy/** r,
  /etc/dnscrypt-proxy/dnscrypt-proxy mr,
  /etc/dnscrypt-proxy/dnscrypt-proxy.log rw,
  /etc/dnscrypt-proxy/public-resolvers.md rw,
  /etc/dnscrypt-proxy/public-resolvers.md.minisig rw,

  /run/systemd/notify rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/net/core/somaxconn r,
  /etc/ld.so.cache r,
}

I can load this profile in ENFORCE-mode, no errors.
But what must I edit to start dnscrypt-proxy with AppArmor profile of it?

Hi GreenEarth

This can be sorted out as per: https://whonix.org/wiki/Support#Free_Support_Principle

Ubuntu has a great Apparmor guide that i’ve found to be helpful.

I would start by placing Apparmor in complain mode and go from there.

2 Likes

It looks like /etc/dnscrypt-proxy/dnscrypt-proxy needs to be executed but apparmor is blocking it.

Try adding /etc/dnscrypt-proxy/dnscrypt-proxy rix, to the profile.

If you still have errors, I’d recommend putting it into complain mode with aa-complain /etc/dnscrypt-proxy/dnscrypt-proxy and run aa-logprof /etc/dnscrypt-proxy/dnscrypt-proxy. This will show you all the files it tries to access and the permissions it needs.

1 Like

Now, it’s working :slight_smile: THANKS!

Working DNSCRYPT-PROXY_profile:

#include <tunables/global>

/etc/dnscrypt-proxy/dnscrypt-proxy flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability chown,
  capability dac_override,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_resource,

  /run/systemd/notify rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/net/core/somaxconn r,
  /etc/ld.so.cache r,
  /etc/dnscrypt-proxy/dnscrypt-proxy rix,
  /etc/dnscrypt-proxy/dnscrypt-proxy.toml r,

  /etc/dnscrypt-proxy/dnscrypt-proxy.log rw,

  /etc/dnscrypt-proxy/public-resolvers.md rw,
  /etc/dnscrypt-proxy/public-resolvers.md.minisig rw,
}
1 Like

The dnscrypt-proxy AppArmor profile does not work again.

Now this AppArmor warning appears:

type=1400 audit(1559204668.183:78): apparmor=“DENIED” operation=“open” profile="/etc/dnscrypt-proxy/dnscrypt-proxy" name="/usr/local/ssl/certs/ca-certificates.crt" pid=5093 comm=“dnscrypt-proxy” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
type=1400 audit(1559204668.183:79): apparmor=“DENIED” operation=“open” profile="/etc/dnscrypt-proxy/dnscrypt-proxy" name="/usr/local/ssl/certs/" pid=5093 comm=“dnscrypt-proxy” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

I added these lines to my profile but the message appears again and again:

  /usr/local/ssl/certs/ca-certificates.crt r,
  /usr/local/ssl/certs/ r,

Which line must I add to get it work?

Please help, thanks!

I found this in another forum.

I hope it works.

added:

  /usr/local/ssl/certs/ r,
  /usr/local/ssl/certs/* r,

Now, it’s working fine without errors with this:

#include <tunables/global>

/etc/dnscrypt-proxy/dnscrypt-proxy flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability chown,
  capability dac_override,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_resource,

  /run/systemd/notify rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/net/core/somaxconn r,
  /etc/ld.so.cache r,
  /etc/systemd/system/dnscrypt-proxy.service r,
  /etc/dnscrypt-proxy/dnscrypt-proxy rix,
  /etc/dnscrypt-proxy/dnscrypt-proxy.toml r,

  /etc/dnscrypt-proxy/dnscrypt-proxy.log rw,

  /etc/dnscrypt-proxy/*.tmp lrw,

  /etc/dnscrypt-proxy/public-resolvers.md rw,
  /etc/dnscrypt-proxy/public-resolvers.md.minisig rw,

  /usr/local/ssl/certs/ r,
  /usr/local/ssl/certs/* r,
}

-SOLVED-
1 Like