Bug 1219335

Summary: [AppArmor] AVC denials for zgrep
Product: [openSUSE] openSUSE Tumbleweed Reporter: Antonio Feijoo <antonio.feijoo>
Component: AppArmorAssignee: Christian Boltz <suse-beta>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: ddiss
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Antonio Feijoo 2024-01-30 08:45:53 UTC 
Default Tumbleweed installation with AppArmor and kernel 6.8-rc1 from https://build.opensuse.org/package/show/Kernel:HEAD/kernel-default, getting AVC denials using `zgrep`. It does not happen with kernel 6.6.9-1-default.

> localhost:/home/dev # uname -r
> 6.8.0-rc1-4.gc619505-default
> localhost:/home/dev # dracut -f --stdlog 3 test.img
> /usr/bin/zgrep: line 210: /usr/bin/grep: Permission denied
> /usr/bin/zgrep: line 280: /usr/bin/gzip: Permission denied
> /usr/bin/zgrep: line 295: /usr/bin/grep: Permission denied
> /usr/bin/zgrep: line 210: /usr/bin/grep: Permission denied
> /usr/bin/zgrep: line 280: /usr/bin/gzip: Permission denied
> /usr/bin/zgrep: line 295: /usr/bin/grep: Permission denied
> localhost:/home/dev # zgrep CONFIG_BTRFS /proc/config.gz 
> /bin/zgrep: line 210: /usr/bin/grep: Permission denied
> /bin/zgrep: line 280: /bin/gzip: Permission denied
> /bin/zgrep: line 295: /usr/bin/grep: Permission denied
> localhost:/home/dev # grep zgrep /var/log/audit/audit.log
> ...
> type=AVC msg=audit(1706603114.661:248): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7356 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.661:249): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7356 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.664:250): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7360 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.664:251): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7360 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.664:252): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7361 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.664:253): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7361 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.674:254): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7368 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.674:255): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7368 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.678:256): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7372 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.678:257): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7372 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.678:258): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7373 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.678:259): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7373 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.285:260): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10315 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.285:261): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10315 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.291:262): apparmor="DENIED" operation="capable" class="cap" profile="zgrep" pid=10317 comm="zgrep" capability=2  capname="dac_read_search"
> type=AVC msg=audit(1706603135.291:263): apparmor="DENIED" operation="capable" class="cap" profile="zgrep" pid=10317 comm="zgrep" capability=1  capname="dac_override"
> type=AVC msg=audit(1706603135.291:264): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=10319 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.291:265): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=10319 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.291:266): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10320 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.291:267): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10320 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Comment 1 Antonio Feijoo 2024-02-06 13:09:26 UTC 
Somehow this issue cannot be reproduced with 6.8.0-rc3-1.gae4495f-default, hence closing as invalid.