Bug 1211766 - [Build 20230526] apache2_changehat: denied signals in log detected
Summary: [Build 20230526] apache2_changehat: denied signals in log detected
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: AppArmor (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Christian Boltz
QA Contact: E-mail List
URL: https://openqa.opensuse.org/tests/331...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-27 13:42 UTC by Dominique Leuenberger
Modified: 2023-06-11 14:17 UTC (History)
1 user (show)

See Also:
Found By: openQA
Services Priority:
Business Priority:
Blocker: Yes
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dominique Leuenberger 2023-05-27 13:42:41 UTC 
## Observation

type=AVC msg=audit(1685188571.452:999): apparmor="DENIED" operation="signal" class="signal" profile="/usr/sbin/httpd-prefork" pid=6580 comm="httpd-prefork" requested_mask="send" denied_mask="send" signal=winch peer="unconfined"
type=SYSCALL msg=audit(1685188571.452:999): arch=c000003e syscall=62 success=no exit=-13 a0=1933 a1=1c a2=0 a3=558e968241d0 items=0 ppid=1 pid=6580 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd-prefork" exe="/usr/sbin/httpd-prefork" subj=/usr/sbin/httpd-prefork key=(null)
type=PROCTITLE msg=audit(1685188571.452:999): proctitle=2F7573722F7362696E2F68747470642D707265666F726B002D44535953434F4E464947002D430050696446696C65202F72756E2F68747470642E706964002D4300496E636C756465202F6574632F617061636865322F737973636F6E6669672E642F2F6C6F61646D6F64756C652E636F6E66002D4300496E636C756465202F65
type=SERVICE_STOP msg=audit(1685188571.568:1000): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=apache2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1685188571.636:1001): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=apache2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'


openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor_profile@64bit fails in
[apache2_changehat](https://openqa.opensuse.org/tests/3319628/modules/apache2_changehat/steps/114)

## Test suite description
Maintained by QE Security


## Reproducible

Fails since (at least) Build [20230526](https://openqa.opensuse.org/tests/3319104)


## Expected result

Last good: [20230525](https://openqa.opensuse.org/tests/3318288) (or more recent)


## Further details

Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=apparmor_profile&version=Tumbleweed)
Comment 1 Christian Boltz 2023-05-27 15:00:20 UTC 
peer="unconfined" is interesting[tm] - but this doesn't look like a reason to block the Tumbleweed release.
Comment 2 Christian Boltz 2023-05-27 15:29:57 UTC 
This became visible because the openQA change 0b74a670e4a23cf90495373b50b8d0f320545afb made it visible for Tumbleweed - before, it only caused a softfailure (boo 1191684) which nobody cared about.

My current theory is that the test first starts an unconfined apache, then loads the profile - and the next apache restart then sends a signal to its unconfined predecessor.

(signal winch is a bit strange, but...)
Comment 3 Christian Boltz 2023-05-28 22:45:43 UTC 
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/17167 will fix this.

As you can see in the PR, my theory from comment 2 was correct :-)


For completeness: the WINCH signal is indeed used by Apache for graceful shutdown, see https://httpd.apache.org/docs/2.4/en/stopping.html#gracefulstop
Comment 4 Christian Boltz 2023-06-11 14:17:46 UTC 
PR was accepted, and openQA is green since then.