|
Bugzilla – Full Text Bug Listing |
| Summary: | logprof/genprof don't work - changed audit.log format | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 11.4 | Reporter: | Christian Boltz <suse-beta> |
| Component: | AppArmor | Assignee: | Jeff Mahoney <jeffm> |
| Status: | VERIFIED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Critical | ||
| Priority: | P2 - High | CC: | asn, bitdealer, meissner, mike |
| Version: | Factory | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | maint:released:11.2:28194 maint:released:11.2:40137 maint:released:11.3:40158 maint:released:sle11-sp1:40948 | ||
| Found By: | Beta-Customer | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Christian Boltz
2009-10-13 19:29:06 UTC
Ok, new test packages for you. These include the fix from bnc#540525, though I suppose that's obvious since there wouldn't be a lot of testing to do with a genprof that crashed again. ;) http://ftp.suse.com/pub/people/jeffm/suse/testpkgs/546618 Thanks for the test packages. They fix at least read and write permissions, but execute permissions are still not seen by genprof and logprof.
I'm generating a profile for this testscript:
#!/bin/bash
echo "Hello World!" > /tmp/hello.txt
cat /tmp/hello.txt
rm /tmp/hello.txt
This is the resulting profile after a genprof run:
(Note: I have a symlink /tmp -> /home/sys-tmp)
#include <tunables/global>
/home/cb/linuxtag/scripts/hello {
#include <abstractions/base>
#include <abstractions/bash>
/bin/bash ix,
owner /home/cb/linuxtag/scripts/hello r,
owner /home/sys-tmp/hello.txt w,
^null-3d {
#include <abstractions/base>
owner /home/sys-tmp/hello.txt r,
}
^null-3f {
#include <abstractions/base>
}
}
Issues with this profile:
- no execute permissions for rm and cat
- the null-* hats are strange and get different names with each run of the
script. This means the audit.log is spammed and logprof will ask to create
lots of hats (two per script run). It probably also means that the script
will get a "permission denied" because of a missing ^null-$RANDOM hat -
however I can't test this because of the missing execute permissions for cat
and rm
- no permissions for /dev/tty and /dev/pts/* (aka abstractions/consoles)
This is how the profile should like (hand-written, doesn't cause any audit.log entries):
#include <tunables/global>
/home/cb/linuxtag/scripts/hello {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles> # added
/bin/bash ix,
/bin/cat ix, # added
/bin/rm ix, # added
owner /home/cb/linuxtag/scripts/hello r,
owner /home/sys-tmp/hello.txt rw, # merged with permissions from hats
# all null-* hats removed
}
To speedup testing, please consider to test genprof with my little testscript until you get a profile which doesn't cause audit.log entries anymore.
Of course I'm willing to do more tests if needed, but I guess that testing with my script is faster than uploading test packages ;-)
*ping* Jeff, any news on the apparmor tools? No, not yet. I thought I updated this report, but I must've closed my browser without saving. I'm able to reproduce the problem - with loads of those null subprofiles, but I haven't had time to track it down yet. Update released for: libapparmor1 Products: openSUSE 11.2 (debug, i586, x86_64) Jeff, any news on the apparmor tools? Sorry, no. I'm pretty far behind on bug triage and kernel bugs. Bump :D Sorry to pester you Jeff, but is there anything new regarding that subject? This is still valid for 11.3 and 11.4. I expect this to be fixed for 11.4 with the AppArmor 2.5 update. I'm still working out all the kinks on getting it to build from one package, as it needs libtool to link internally and Perl MakeMaker can be a pain to combine with it. (In reply to comment #10) > I expect this to be fixed for 11.4 with the AppArmor 2.5 update. Good to hear this :-) BTW: The GPG key of the security:apparmor:factory repo is expired. You should be able to extend it with osc signkey --extend Just FYI: I upgraded to the 2.5.1 packages [1] on my 11.3 system, and run genprof for the test script in comment #2. Good news: the resulting profile looks exactly as it should and it even works :-) I'm looking forward to have 2.5.1 in Factory, and I'd propose to release the new version as online update for 11.2 and 11.3. (Yes, I know version updates shouldn't happen via online update, but I think this one would be worth an exception.) [1] I updated only some apparmor packages for now. updated to 2.5: apparmor-utils, apparmor-parser, perl-apparmor, libapparmor1 still on 2.3: pam_apparmor, apparmor-profiles, pam_apparmor-32bit, libapparmor1-32bit, apparmor-docs Ok, this is essentially fixed for factory -- but is still awaiting the package checkin. I'll revisit once that's done. The package has been checked in and one more issue with logprof/genprof has been addressed. Closing as FIXED. Verified, thanks for working on the AppArmor update! FYI: I opened bug 668311 to request a maintenance update for 11.3 (and maybe also 11.2, not sure if it has the same problem). *** Bug 685833 has been marked as a duplicate of this bug. *** This is an autogenerated message for OBS integration: This bug (546618) was mentioned in https://build.opensuse.org/request/show/66428 https://build.opensuse.org/request/show/66453 Update released for: apparmor-utils Products: openSUSE 11.2 (i586) Update released for: apparmor-utils Products: openSUSE 11.3 (i586) Update released for: apparmor-parser, apparmor-parser-debuginfo, apparmor-parser-debugsource, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, libapparmor1-32bit, libapparmor1-debuginfo, libapparmor1-debuginfo-32bit, libapparmor1-debuginfo-x86, libapparmor1-debugsource, libapparmor1-x86, perl-libapparmor Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64) |