|
Bugzilla – Full Text Bug Listing |
| Summary: | Removing apparmor pattern does not remove Apparmor as security module to be enabled and causes install to fail to start | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Tony Jones <tonyj> |
| Component: | YaST2 | Assignee: | E-mail List <yast2-maintainers> |
| Status: | RESOLVED INVALID | QA Contact: | Jiri Srain <jsrain> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | kanderssen, kukuk, tonyj |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
/var/log/YaST2/yast-installation-logs.tar.xz
/usr/sbin/save_y2logs |
||
|
Description
Tony Jones
2024-01-04 20:14:44 UTC
Also previously when I removed the AppArmor pattern I noticed that AppArmor was still listed as the kernel module to be enabled. This was likely a bug but it didn't prevent the install. What is new here is the "The proposal contains an error that must be resolved before continuing". (In reply to Tony Jones from comment #1) > Also previously when I removed the AppArmor pattern I noticed that AppArmor > was still listed as the kernel module to be enabled. This was likely a bug > but it didn't prevent the install. What is new here is the "The proposal > contains an error that must be resolved before continuing". A pattern can only change the package list, it cannot change any configuration settings. For this we have "system roles". You need to reconfigure your system (I think with the security module) to disable AppArmor. That's nothing which is doable with patterns. Yes, the expected way is to disable AppArmor in the security module, but the Installer obviously has a problem with two conflicting settings: First - the user removed (?) or maybe tabooed (?) everything related to AppArmor, while second - the security module is kept as "use AppArmor". We would know more if we had YaST logs, see https://confluence.suse.com/display/YAST/How+to+Write+a+Good+Bug+Report for more details. At the end the solution is more in the UX: The user should be informed about the problem in a way that it can solve it. Obviously, the final package selection is done by libzypp solver, but issues are reported by YaST. I'm not sure if the Security module could do it (because of "reasons", complicated), but maybe the software proposal could additionally check if software requested by other modules is not only available, but also free to be installed. Let's see when we have the logs (please). Obviously, tabooing software in the package selection is an expert option, while changing the security profile is much simpler. (In reply to Lukas Ocilka from comment #3) > We would know more if we had YaST logs, see > https://confluence.suse.com/display/YAST/How+to+Write+a+Good+Bug+Report for > more details. It's trivial to reproduce so I don't see this as particularly relevant. Also I didn't taboo the AppArmor option. I deselected it.(In reply to Thorsten Kukuk from comment #2) > A pattern can only change the package list, it cannot change any > configuration settings. For this we have "system roles". > You need to reconfigure your system (I think with the security module) to > disable AppArmor. > That's nothing which is doable with patterns. I'm not objecting to AppArmor module not actually being disabled. The report is in regard to the fact that the installer reported "The proposal contains an error that must be resolved before continuing" without any indication of what the error and refused to proceed. Created attachment 871672 [details]
/var/log/YaST2/yast-installation-logs.tar.xz
/var/log/YaST2/yast-installation-logs.tar.xz
(In reply to Lukas Ocilka from comment #3) > Obviously, tabooing software in the package selection is an expert option, > while changing the security profile is much simpler. I don't believe I Taboo'd it. Rather just un-selected it, so the checkbox was empty. Created attachment 871673 [details]
/usr/sbin/save_y2logs
/usr/sbin/save_y2logs
This is like asking the car workshop to remove the wheels of your brand-new car and then complaining that it can't drive despite the most modern GPS unit you also got installed. > 2024-01-04 12:03:14 <1> perf-vm-tj(4569) [Ruby]
> installation/proposal_runner.rb(format_sub_proposal):529
> proposal returns warning with level blocker and msg
> .
> These patterns need to be selected to install:
> "AppArmor" Please manually select the needed items to install.
How much more explicit do you need a message to be? (In reply to Tony Jones from comment #0) > In Tumbleweed Yast installer I deleted the apparmor pattern (software, > patterns, disable). > > After doing this it pops up "In addition to your manual selections, the > following packages have been changed to resolve dependencies:". > > I select OK and it's happy. > > Dialog "evaluating package selection pops up" and dissapears without error. > > > I then select "Install" and I get "Error: The proposal contains an error > that must be resolved before continuing" but I can see no listed error > > If I go back into software and recommit I again get the same "In addition to > your manual selections, the following packages have been changed to resolve > dependencies:" and the same list of additional packages is presented as if > it had not actually processed the previous time. > > Trying to install I again get the same "The proposal contains an error that > must be resolved before continuing" but again I can see no listed error. > > This turned out to be the following: under security AppArmor was still > listed as the security module to be enabled. Once I changed it to None, I > was able to start the install. This is basically the way to select which LSM should be used, it is basically defined in the control file as well as the patterns needed by each one. https://github.com/yast/skelcd-control-openSUSE/blob/master/control/control.openSUSE.xml#L84 So, if you remove it manually it will complain. The software section only knows about needed package, patterns not about where to set them in the proposal and will make the implementation more harder to maintain, of course we could show something in the security proposal section but currently it has very low priority as we have more urgent things to be implemented. (In reply to Stefan Hundhammer from comment #11) > How much more explicit do you need a message to be? 1. This message may be in the log but it was NOT presented on screen. 2. How about adopting a slightly different tone? (In reply to Knut Alejandro Anderssen González from comment #12) > So, if you remove it manually it will complain. The point I am trying to make - seemingly unsuccessfully - is that there was no such complaint presented. I was able to un-select the apparmor pattern (plus also enabling Kernel development pattern). I was prompted "In addition to your manual selections, the following packages have been changed to resolve dependencies:". I approved this and it completed without error. Dialog "evaluating package selection" appeared and completed without error. [all of the above is normal, I've done this on most previous installs and experienced the above] However when I selected install I received "The proposal contains an error that must be resolved before continuing" but no indication was ever presented as to what the error was. (In reply to Tony Jones from comment #14) > (In reply to Knut Alejandro Anderssen González from comment #12) > > > So, if you remove it manually it will complain. > > The point I am trying to make - seemingly unsuccessfully - is that there was > no such complaint presented. > > I was able to un-select the apparmor pattern (plus also enabling Kernel > development pattern). > > I was prompted "In addition to your manual selections, the following > packages have been changed to resolve dependencies:". > > I approved this and it completed without error. > > Dialog "evaluating package selection" appeared and completed without error. > > [all of the above is normal, I've done this on most previous installs and > experienced the above] > > However when I selected install I received "The proposal contains an error > that must be resolved before continuing" but no indication was ever > presented as to what the error was. Just for record... after some discussion on Slack we found that it is already reported in text mode but although in the Graphical UI it uses a red font color and it is highlighted it is not the case of text mode which means it could be overlooked. https://github.com/openSUSE/agama/assets/7056681/d6762182-af50-43d0-9033-d9598417d9db https://github.com/openSUSE/agama/assets/7056681/af50480a-fb85-4880-b364-031364072d6c As commented, probably we could improve the current behavior showing also some error in the security section as well as trying to highlight it somehow in text mode but at least the error is reported and the better way to deselect it is using the Security Dialog. BTW, any suggestion about changes to made to the dialog or the UI are always welcomed. |