Bug 1137693

Summary: AppArmor 2.13.2-9.1 breaks root login from normal user session completely
Product: [openSUSE] openSUSE Tumbleweed Reporter: Simon Vogl <simon.vogl>
Component: AppArmorAssignee: Christian Boltz <suse-beta>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P5 - None CC: simon.vogl, wbauer
Version: Current   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Factory   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Simon Vogl 2019-06-09 19:23:17 UTC 
When installing the AppArmor 2.13.2-9.1 update, sudo will not accept the root password, neither will pkexec (polkit1). This is a critical function failure and the only way to get the system back working is restoring BTRFS snapshots via GRUB.

-Logging into the root user via SDDM still works.
-the "su" command still works.

This bug must be resolved quickly as it renders the system completely unusable.
Comment 1 Christian Boltz 2019-06-09 21:51:33 UTC 
That would be surprising because AppArmor only restricts applications that have a profile in /etc/apparmor.d/ - and AFAIK neither sudo nor pkexec have a profile. Besides that, today's AppArmor update only changed a test that runs at build time, but the resulting package is still the same.

Are you really sure that AppArmor is causing the problems you see?

Please attach your /var/log/audit/audit.log - if AppArmor denies something, that file will contain the relevant "DENIED" lines for that.

However, my personal guess is that something else[tm] causes the problem you see. Which other packages came with today's update? (If in doubt, check or attach /var/log/zypp/history)
Comment 2 Simon Vogl 2019-06-10 09:12:30 UTC 
Sorry for the false bug report, I tested a bit deeper and when opting out of updating libgcrypt20 from 1.8.4-2.4 to 1.8.4-3.1 the system remains working perfectly fine even with the new apparmor packages. Nevertheless, libgcrypt20 1.8.4-3.1 is obviously broken, so should I report that seperatly?
Comment 3 Christian Boltz 2019-06-10 09:35:01 UTC 
Yes, please open a new bugreport for libgcrypt20 (and then close this one ;-)
Comment 4 Simon Vogl 2019-06-10 11:41:23 UTC 
Thanks , I'll do that.
Comment 5 Wolfgang Bauer 2019-06-11 09:46:29 UTC 
Do you have pam_kwallet installed?
It mmight be related to bug#1137716.
Comment 6 Simon Vogl 2019-06-11 19:48:12 UTC 
Yes, I do (also pam_kwallet).
Comment 7 Simon Vogl 2019-06-11 19:49:04 UTC 
However, its a libgcrypt20 issue for me. If libgcrypt20 is held back to 1.8.4-2.3 it works fine.
Comment 8 Wolfgang Bauer 2019-06-11 20:18:22 UTC 
(In reply to Simon Vogl from comment #7)
> However, its a libgcrypt20 issue for me. If libgcrypt20 is held back to
> 1.8.4-2.3 it works fine.
Yes, it's a regression in libgcrypt.

It apparently only causes problems with pam_kwallet installed though. (or maybe other PAM modules too? I don't know)

*** This bug has been marked as a duplicate of bug 1137716 ***