1219335 – [AppArmor] AVC denials for zgrep

Bug 1219335 - [AppArmor] AVC denials for zgrep

Summary: [AppArmor] AVC denials for zgrep

Status:	RESOLVED INVALID

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	AppArmor (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Christian Boltz
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-01-30 08:45 UTC by Antonio Feijoo
Modified:	2024-02-06 13:09 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Antonio Feijoo 2024-01-30 08:45:53 UTC

Default Tumbleweed installation with AppArmor and kernel 6.8-rc1 from https://build.opensuse.org/package/show/Kernel:HEAD/kernel-default, getting AVC denials using `zgrep`. It does not happen with kernel 6.6.9-1-default.

> localhost:/home/dev # uname -r
> 6.8.0-rc1-4.gc619505-default
> localhost:/home/dev # dracut -f --stdlog 3 test.img
> /usr/bin/zgrep: line 210: /usr/bin/grep: Permission denied
> /usr/bin/zgrep: line 280: /usr/bin/gzip: Permission denied
> /usr/bin/zgrep: line 295: /usr/bin/grep: Permission denied
> /usr/bin/zgrep: line 210: /usr/bin/grep: Permission denied
> /usr/bin/zgrep: line 280: /usr/bin/gzip: Permission denied
> /usr/bin/zgrep: line 295: /usr/bin/grep: Permission denied
> localhost:/home/dev # zgrep CONFIG_BTRFS /proc/config.gz 
> /bin/zgrep: line 210: /usr/bin/grep: Permission denied
> /bin/zgrep: line 280: /bin/gzip: Permission denied
> /bin/zgrep: line 295: /usr/bin/grep: Permission denied
> localhost:/home/dev # grep zgrep /var/log/audit/audit.log
> ...
> type=AVC msg=audit(1706603114.661:248): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7356 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.661:249): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7356 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.664:250): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7360 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.664:251): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7360 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.664:252): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7361 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.664:253): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7361 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.674:254): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7368 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.674:255): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7368 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.678:256): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7372 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.678:257): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7372 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.678:258): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7373 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603114.678:259): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7373 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.285:260): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10315 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.285:261): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10315 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.291:262): apparmor="DENIED" operation="capable" class="cap" profile="zgrep" pid=10317 comm="zgrep" capability=2  capname="dac_read_search"
> type=AVC msg=audit(1706603135.291:263): apparmor="DENIED" operation="capable" class="cap" profile="zgrep" pid=10317 comm="zgrep" capability=1  capname="dac_override"
> type=AVC msg=audit(1706603135.291:264): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=10319 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.291:265): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=10319 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.291:266): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10320 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1706603135.291:267): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10320 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Comment 1 Antonio Feijoo 2024-02-06 13:09:26 UTC

Somehow this issue cannot be reproduced with 6.8.0-rc3-1.gae4495f-default, hence closing as invalid.