Bug 1219401

Summary: [Build 20240130] openssl packaging changes require apparmor profile update
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dominique Leuenberger <dimstar>
Component: AppArmorAssignee: Christian Boltz <suse-beta>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: dimstar, otto.hollmann, suse-beta
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.opensuse.org/tests/3906242/modules/apache2_changehat/steps/115
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---

Description Dominique Leuenberger 2024-01-31 10:13:19 UTC 
## Observation


type=AVC msg=audit(1706694192.948:964): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/engines3.d/" pid=16836 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1706694192.948:965): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/engdef3.d/" pid=16836 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SERVICE_START msg=audit(1706694192.955:966): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=apache2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=BPF msg=audit(1706694217.958:967): prog-id=186 op=LOAD
type=BPF msg=audit(1706694217.958:968): prog-id=187 op=LOAD
type=BPF msg=audit(1706694217.958:969): prog-id=188 op=LOAD
type=SERVICE_START msg=audit(1706694218.088:970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1706694248.192:971): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'


openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor_profile@64bit fails in
[apache2_changehat](https://openqa.opensuse.org/tests/3906242/modules/apache2_changehat/steps/115)

## Test suite description
Maintained by QE Security


## Reproducible

Fails since (at least) Build [20240123](https://openqa.opensuse.org/tests/3888806)


## Expected result

Last good: [20240122](https://openqa.opensuse.org/tests/3886273) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=apparmor_profile&version=Tumbleweed)
Comment 1 Dominique Leuenberger 2024-01-31 10:14:25 UTC 
Also seen

type=AVC msg=audit(1706695132.222:893): apparmor="DENIED" operation="open" class="file" profile="dovecot-pop3-login" name="/etc/ssl/engines3.d/" pid=13622 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1706695132.222:894): apparmor="DENIED" operation="open" class="file" profile="dovecot-pop3-login" name="/etc/ssl/engdef3.d/" pid=13622 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=USER_AUTH msg=audit(1706695136.349:895): pid=13625 uid=0 auid=4294967295 ses=4294967295 subj=dovecot-auth msg='op=PAM:authentication grantors=pam_gnome_keyring,pam_unix acct="recipient" exe="/usr/lib/dovecot/auth" hostname=::1 addr=::1 terminal=dovecot res=success'
type=USER_ACCT msg=audit(1706695136.349:896): pid=13625 uid=0 auid=4294967295 ses=4294967295 subj=dovecot-auth msg='op=PAM:accounting grantors=pam_unix acct="recipient" exe="/usr/lib/dovecot/auth" hostname=::1 addr=::1 terminal=dovecot res=success'
Comment 2 Stefan Hundhammer 2024-01-31 10:37:04 UTC 
> [sh @ balrog] ~ 2 % find /usr/share/apparmor -name "*ssh*"
> /usr/share/apparmor/extra-profiles/usr.sbin.sshd

> [sh @ balrog] ~ 3 % rpm -qf /usr/share/apparmor/extra-profiles/usr.sbin.sshd
> apparmor-profiles-3.0.4-150500.11.9.1.noarch

> [sh @ balrog] ~ 4 % osc maintainer -e apparmor-profiles
> Defined in package: security:apparmor/apparmor 
>   bugowner of apparmor-profiles : 
>    suse-beta@cboltz.de, rgoldwyn@suse.com
>   maintainer of apparmor-profiles : 
>   suse-beta@cboltz.de, rgoldwyn@suse.com
Comment 3 Dominique Leuenberger 2024-01-31 10:41:55 UTC 
(In reply to Stefan Hundhammer from comment #2)
> > [sh @ balrog] ~ 2 % find /usr/share/apparmor -name "*ssh*"
> > /usr/share/apparmor/extra-profiles/usr.sbin.sshd
> 
> > [sh @ balrog] ~ 3 % rpm -qf /usr/share/apparmor/extra-profiles/usr.sbin.sshd
> > apparmor-profiles-3.0.4-150500.11.9.1.noarch
> 
> > [sh @ balrog] ~ 4 % osc maintainer -e apparmor-profiles
> > Defined in package: security:apparmor/apparmor 
> >   bugowner of apparmor-profiles : 
> >    suse-beta@cboltz.de, rgoldwyn@suse.com
> >   maintainer of apparmor-profiles : 
> >   suse-beta@cboltz.de, rgoldwyn@suse.com

Dang.. sorry - I though I picked component AppArmor.. seems I ended up in AutoYast
Comment 4 Christian Boltz 2024-01-31 12:53:28 UTC 
Read access to the directory /etc/ssl/engines3.d/ looks like half of the story.

The other half is.
- Which files will live in this directory - certs, keys, or both?
- Is there a naming pattern for the files, or do we need to allow "*"?
Comment 5 Dominique Leuenberger 2024-01-31 13:36:38 UTC 
The spec file explains the new location like this:

- Added openssl-3-use-include-directive.patch so that the default
  /etc/ssl/openssl.cnf file will include any configuration files that
  other packages might place into /etc/ssl/engines3.d/ and
  /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/
  and /etc/ssl/engdef.d/ to above versioned directories.
- Updated spec file to create the two new necessary directores for
  the above patch and two symbolic links to above directories.
  [bsc#1194187, bsc#1207472, bsc#1218933]

The same exists for openssl 1.1

the config include says:

++# This include will look through the directory that will contain the
++# engine declarations for any engines provided by other packages.
++.include /etc/ssl/engines3.d
++
++# This include will look through the directory that will contain the
++# definitions of the engines declared in the engine section.
++.include /etc/ssl/engdef3.d

File names do not have to follow any particular pattern
Comment 6 Dominique Leuenberger 2024-01-31 13:38:37 UTC 
for reference, openssl 1.1 uses

 5+- Because OpenSSL 1.1.1 is no longer default, let's rename engine
 6+  directories to contain version of OpenSSL and let unversioned for
 7+  the default OpenSSL. [bsc#1194187, bsc#1207472, bsc#1218933]
 8+  * /etc/ssl/engines.d ->  /etc/ssl/engines1_1.d
 9+  * /etc/ssl/engdef.d -> /etc/ssl/engdef1_1.d
Comment 7 Christian Boltz 2024-02-16 20:24:24 UTC 
Thanks for all the details.

In the meantime, I got another report for the same denials - and just accepted the SR with the fix.

*** This bug has been marked as a duplicate of bug 1219571 ***