Bugzilla – Bug 1219401
[Build 20240130] openssl packaging changes require apparmor profile update
Last modified: 2024-02-16 20:24:24 UTC
## Observation type=AVC msg=audit(1706694192.948:964): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/engines3.d/" pid=16836 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706694192.948:965): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/engdef3.d/" pid=16836 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=SERVICE_START msg=audit(1706694192.955:966): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=apache2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=BPF msg=audit(1706694217.958:967): prog-id=186 op=LOAD type=BPF msg=audit(1706694217.958:968): prog-id=187 op=LOAD type=BPF msg=audit(1706694217.958:969): prog-id=188 op=LOAD type=SERVICE_START msg=audit(1706694218.088:970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1706694248.192:971): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor_profile@64bit fails in [apache2_changehat](https://openqa.opensuse.org/tests/3906242/modules/apache2_changehat/steps/115) ## Test suite description Maintained by QE Security ## Reproducible Fails since (at least) Build [20240123](https://openqa.opensuse.org/tests/3888806) ## Expected result Last good: [20240122](https://openqa.opensuse.org/tests/3886273) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=apparmor_profile&version=Tumbleweed)
Also seen type=AVC msg=audit(1706695132.222:893): apparmor="DENIED" operation="open" class="file" profile="dovecot-pop3-login" name="/etc/ssl/engines3.d/" pid=13622 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706695132.222:894): apparmor="DENIED" operation="open" class="file" profile="dovecot-pop3-login" name="/etc/ssl/engdef3.d/" pid=13622 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=USER_AUTH msg=audit(1706695136.349:895): pid=13625 uid=0 auid=4294967295 ses=4294967295 subj=dovecot-auth msg='op=PAM:authentication grantors=pam_gnome_keyring,pam_unix acct="recipient" exe="/usr/lib/dovecot/auth" hostname=::1 addr=::1 terminal=dovecot res=success' type=USER_ACCT msg=audit(1706695136.349:896): pid=13625 uid=0 auid=4294967295 ses=4294967295 subj=dovecot-auth msg='op=PAM:accounting grantors=pam_unix acct="recipient" exe="/usr/lib/dovecot/auth" hostname=::1 addr=::1 terminal=dovecot res=success'
> [sh @ balrog] ~ 2 % find /usr/share/apparmor -name "*ssh*" > /usr/share/apparmor/extra-profiles/usr.sbin.sshd > [sh @ balrog] ~ 3 % rpm -qf /usr/share/apparmor/extra-profiles/usr.sbin.sshd > apparmor-profiles-3.0.4-150500.11.9.1.noarch > [sh @ balrog] ~ 4 % osc maintainer -e apparmor-profiles > Defined in package: security:apparmor/apparmor > bugowner of apparmor-profiles : > suse-beta@cboltz.de, rgoldwyn@suse.com > maintainer of apparmor-profiles : > suse-beta@cboltz.de, rgoldwyn@suse.com
(In reply to Stefan Hundhammer from comment #2) > > [sh @ balrog] ~ 2 % find /usr/share/apparmor -name "*ssh*" > > /usr/share/apparmor/extra-profiles/usr.sbin.sshd > > > [sh @ balrog] ~ 3 % rpm -qf /usr/share/apparmor/extra-profiles/usr.sbin.sshd > > apparmor-profiles-3.0.4-150500.11.9.1.noarch > > > [sh @ balrog] ~ 4 % osc maintainer -e apparmor-profiles > > Defined in package: security:apparmor/apparmor > > bugowner of apparmor-profiles : > > suse-beta@cboltz.de, rgoldwyn@suse.com > > maintainer of apparmor-profiles : > > suse-beta@cboltz.de, rgoldwyn@suse.com Dang.. sorry - I though I picked component AppArmor.. seems I ended up in AutoYast
Read access to the directory /etc/ssl/engines3.d/ looks like half of the story. The other half is. - Which files will live in this directory - certs, keys, or both? - Is there a naming pattern for the files, or do we need to allow "*"?
The spec file explains the new location like this: - Added openssl-3-use-include-directive.patch so that the default /etc/ssl/openssl.cnf file will include any configuration files that other packages might place into /etc/ssl/engines3.d/ and /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/ and /etc/ssl/engdef.d/ to above versioned directories. - Updated spec file to create the two new necessary directores for the above patch and two symbolic links to above directories. [bsc#1194187, bsc#1207472, bsc#1218933] The same exists for openssl 1.1 the config include says: ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++.include /etc/ssl/engines3.d ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef3.d File names do not have to follow any particular pattern
for reference, openssl 1.1 uses 5+- Because OpenSSL 1.1.1 is no longer default, let's rename engine 6+ directories to contain version of OpenSSL and let unversioned for 7+ the default OpenSSL. [bsc#1194187, bsc#1207472, bsc#1218933] 8+ * /etc/ssl/engines.d -> /etc/ssl/engines1_1.d 9+ * /etc/ssl/engdef.d -> /etc/ssl/engdef1_1.d
Thanks for all the details. In the meantime, I got another report for the same denials - and just accepted the SR with the fix. *** This bug has been marked as a duplicate of bug 1219571 ***