change_hat() fails on access to new interface
In apparmor 3 we are getting
type=AVC msg=audit(1604246715.480:1941): apparmor="DENIED" operation="open" profile="/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT" name="/proc/1526/attr/apparmor/current" pid=1526 comm="httpd-prefork" requested_mask="w" denied_mask="w" fsuid=299 ouid=0
when apparmor is selecting the new interface to be used but permission to access it is not being granted to access it everywhere (specifically in some hats).
and some denied reads to the php script and the error page
[Sun Nov 01 17:05:11.393558 2020] [apparmor:warn] [pid 1523] (13)Permission denied: [client 127.0.0.1:41852] aa_change_hatv call failed
[Sun Nov 01 17:05:11.393614 2020] [apparmor:warn] [pid 1523] (13)Permission denied: [client 127.0.0.1:41852] aa_getcon call failed
[Sun Nov 01 17:05:11.394171 2020] [php7:warn] [pid 1523] [client 127.0.0.1:41852] PHP Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0
[Sun Nov 01 17:05:11.394194 2020] [php7:error] [pid 1523] [client 127.0.0.1:41852] PHP Fatal error: Unknown: Failed opening required '/home/cb/public_html/pastesearch.php' (include_path='.:/usr/share/php7:/usr/share/php7/PEAR') in Unknown on line 0
[Sun Nov 01 17:05:11.394401 2020] [apparmor:error] [pid 1523] (13)Permission denied: [client 127.0.0.1:41852] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Sun Nov 01 17:05:11.475049 2020] [apparmor:warn] [pid 1524] (13)Permission denied: [client 127.0.0.1:41866] aa_change_hatv call failed
[Sun Nov 01 17:05:11.475093 2020] [apparmor:warn] [pid 1524] (13)Permission denied: [client 127.0.0.1:41866] aa_getcon call failed
[Sun Nov 01 17:05:11.475153 2020] [apparmor:warn] [pid 1524] (13)Permission denied: [client 127.0.0.1:41866] aa_change_hatv call failed
[Sun Nov 01 17:05:11.475167 2020] [apparmor:warn] [pid 1524] (13)Permission denied: [client 127.0.0.1:41866] aa_getcon call failed
[Sun Nov 01 17:05:11.475186 2020] [negotiation:error] [pid 1524] (13)Permission denied: [client 127.0.0.1:41866] AH00683: cannot access type map file: /usr/share/apache2/error/HTTP_NOT_FOUND.html.var
[Sun Nov 01 17:05:11.475275 2020] [apparmor:error] [pid 1524] (13)Permission denied: [client 127.0.0.1:41866] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
Edited by John Johansen