|
Bugzilla – Full Text Bug Listing |
| Summary: | /lib/apparmor/rc.apparmor.functions: line 435: echo: write error: No such file or directory | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 11.4 | Reporter: | Christian Boltz <suse-beta> |
| Component: | AppArmor | Assignee: | Jeff Mahoney <jeffm> |
| Status: | VERIFIED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | aj, ast, avm-xandry |
| Version: | Factory | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | openSUSE 11.1 | ||
| Whiteboard: | . | ||
| Found By: | Beta-Customer | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Deadline: | 2010-12-31 | ||
|
Description
Christian Boltz
2009-06-06 11:51:24 UTC
Do you recall if that happened every time or just occasionally? The only way that can happen is if /sys/kernel/security/apparmor isn't mounted. I just tested this on three 11.1 servers - two (always) show the error message on a "rcapparmor restart", the other never does (tested 5 times on each server to be sure it happens every time).
/sys/kernel/security is mounted on all servers - this probably means there _is_ another way that causes this error message ;-)
Thinking about it, the two servers that show the error message share nearly the same set of profiles. I just addded some debugging code and found out it only happens on my /usr/lib/postfix/local profile.
/usr/lib/postfix/local {
#include <abstractions/base>
[...]
profile "^/usr/lib/postfix/local " {
/usr/lib/mailman/mail/mailman Px,
}
}
Needless to say that this sub-profile looks a bit strange. I especially wonder about the space at the end of the name. (The question why this sub-profile exists at all is another issue, but I have no idea about this.)
After running "rcapparmor stop", the strange subprofile is still loaded:
# cat /sys/kernel/security/apparmor/profiles
/usr/lib/postfix/local//^/usr/lib/postfix/local (enforce)
The script echo's "/usr/lib/postfix/local//^/usr/lib/postfix/local" (without space!) to /sys/kernel/security/apparmor/.remove
I just verified that this really causes the error message by removing the sub-profile and calling echo -n '/usr/lib/postfix/local//^/usr/lib/postfix/local ' > /sys/kernel/security/apparmor/.remove
Now rcapparmor restart works without the error message.
-> the space must be lost somewhere - maybe there's variable quoting missing somewhere in the script.
some more debugging: the file $MODULE_PLIST contains the space. This means the space must be lost in this line: sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do comm worked fine on some test files, therefore I googled for "bash read space" and found http://dbaspot.com/forums/shell/372688-bash-read-string-preceding-trailing-space-oddity.html The solution is to unset $IFS in /lib/apparmor/rc.apparmor.functions line 434: - sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do + sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do # ignore the line break in bugzilla Please apply this fix to the rc.apparmor.functions script. BTW: You'll get the "No such file or directory" message if you try to remove a profile that is not loaded (or doesn't exist). Try yourself: echo '/does/not_exist' > /sys/kernel/security/apparmor/.remove Great! Thanks for the debugging effort. I'll work this into the package tomorrow morning. I've committed this fix to the security:apparmor:factory and will backport the fix to the various products later tonight. I've submitted fixes for SLE11 SP1 and openSUSE 11.2. openSUSE 11.1 is out of scope. Anja, I have three fixes queued up for apparmor-parser. SR 34867 ok, we so kind and submit a patchinfo for 11.2; swampID: 32010 The SWAMPID for this issue is 32010. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/32010) Update released for: apparmor-parser, apparmor-parser-debuginfo, apparmor-parser-debugsource, apparmor-utils Products: openSUSE 11.2 (debug, i586, x86_64) Unfortunately this fix was lost again in 11.3 :-( A update just for this would be exaggeratedly, but you should include it if you ever release an update for apparmor-parser on 11.3. More important: The 2.5.1 packages in security:apparmor also miss this fix - please apply the fix from comment #3 there! I'm replaced line 434 /lib/apparmor/rc.apparmor.functions on + sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do # ignore the line break in bugzilla but now i see new error: > sudo /etc/init.d/boot.apparmor start /lib/apparmor/rc.apparmor.functions: line 439: syntax error near unexpected token `;' /lib/apparmor/rc.apparmor.functions: line 439: ` ; do # ignore the line break in bugzilla' /lib/apparmor/rc.apparmor.functions: line 345: configure_owlsm: command not found Loading AppArmor profiles done done What's wrong? P.S.: openSUSE 11.3 > susepaste /lib/apparmor/rc.apparmor.functions Pasted as: http://susepaste.org/57531528 (In reply to comment #11) > I'm replaced line 434 /lib/apparmor/rc.apparmor.functions on > + sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile > ; do # ignore the line break in bugzilla > > but now i see new error: ... > What's wrong? The line has to be: sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do It looks like you did something wrong, maybe you added a linebreak in front of the ";" or you accidently included the "+" when copying the line. > http://susepaste.org/57531528 gives me a "404 not found" :-( (In reply to comment #12) You are right. Thanks. >> http://susepaste.org/57531528 >gives me a "404 not found" :-( Yeah, me too. :) Ok, thanks for the update. I've fixed this in the apparmor package in security:apparmor:factory and in the apparmor-parser package for openSUSE 11.3. I'll submit it to maintenance after I check to see if there are any other pending apparmor-parser reports for 11.3. openSUSE 11.3 SR 54281 looks good +1 The SWAMPID for this issue is 37584. This issue was rated as low. Please submit fixed packages until 2010-12-31. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/37584 update started ... be so kind and add a patchinfo. Looks like this was released w/o a patch info. Sorry for dragging my feet on that. VERIFIED on 11.3 VERIFIED in apparmor-parser-2.5.1 from security:apparmor - which hopefully arrives in Factory soon (I've seen the mail about the pending SR on opensuse-factory) This is an autogenerated message for OBS integration: This bug (510740) was mentioned in https://build.opensuse.org/request/show/34867 11.2:Test / apparmor-parser https://build.opensuse.org/request/show/54281 11.3:Test / apparmor-parser https://build.opensuse.org/request/show/57759 11.2:Test / apparmor-parser |