Bug 1219571 - profiles: openssl 1.1 requires /etc/ssl/engines3.d/ path access
Summary: profiles: openssl 1.1 requires /etc/ssl/engines3.d/ path access
Status: RESOLVED FIXED
: 1219401 (view as bug list)
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: AppArmor (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: David Disseldorp
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-05 13:46 UTC by David Disseldorp
Modified: 2024-02-23 00:50 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Disseldorp 2024-02-05 13:46:34 UTC 
darix reported the following AVCs following when running nginx alongside openssl 1.1 :

type=AVC msg=audit(X): apparmor="DENIED" operation="open" class="file" profile="nginx" name="/etc/ssl/engines3.d/" pid=Y comm="nginx" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

type=AVC msg=audit(X+1): apparmor="DENIED" operation="open" class="file" profile="nginx" name="/etc/ssl/engdef3.d/" pid=Y comm="nginx" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Presumably we need something like:

--- a/profiles/apparmor.d/abstractions/openssl
+++ b/profiles/apparmor.d/abstractions/openssl
@@ -12,8 +12,8 @@
 
   /etc/ssl/openssl.cnf r,
   /etc/ssl/openssl-*.cnf r,
-  /etc/ssl/{engdef,engines}.d/ r,
-  /etc/ssl/{engdef,engines}.d/*.cnf r,
+  /etc/ssl/{engdef,engines,engines3}.d/ r,
+  /etc/ssl/{engdef,engines,engines3}.d/*.cnf r,
   /usr/share/ssl/openssl.cnf r,
 
   # Include additions to the abstraction


...but it'd be good to first know what other paths may be affected before submitting upstream.
Comment 1 David Disseldorp 2024-02-06 00:16:53 UTC 
(In reply to David Disseldorp from comment #0)
...
> Presumably we need something like:
> 
> --- a/profiles/apparmor.d/abstractions/openssl
> +++ b/profiles/apparmor.d/abstractions/openssl
> @@ -12,8 +12,8 @@
>  
>    /etc/ssl/openssl.cnf r,
>    /etc/ssl/openssl-*.cnf r,
> -  /etc/ssl/{engdef,engines}.d/ r,
> -  /etc/ssl/{engdef,engines}.d/*.cnf r,
> +  /etc/ssl/{engdef,engines,engines3}.d/ r,
> +  /etc/ssl/{engdef,engines,engines3}.d/*.cnf r,
>    /usr/share/ssl/openssl.cnf r,
>  
>    # Include additions to the abstraction
> 
> 
> ...but it'd be good to first know what other paths may be affected before
> submitting upstream.

Setting needinfo just to confirm that this.
Comment 2 Otto Hollmann 2024-02-06 10:53:09 UTC 
Starting with SLE15-SP6 (ALP and Tumbleweed) we renamed openssl 1.1 directories
> /etc/ssl/engdef.d to /etc/ssl/engdef1.1.d
> /etc/ssl/engines.d to /etc/ssl/engines1.1.d
And created symbolic links to openssl-3 direcories
> /etc/ssl/engdef.d -> /etc/ssl/engdef3.d
> /etc/ssl/engines.d -> /etc/ssl/engines3.d

So I think we need to add engdef{1.1,3}.d and engines{1.1,3}.d
Comment 3 David Disseldorp 2024-02-06 10:57:23 UTC 
(In reply to Otto Hollmann from comment #2)
> Starting with SLE15-SP6 (ALP and Tumbleweed) we renamed openssl 1.1
> directories
> > /etc/ssl/engdef.d to /etc/ssl/engdef1.1.d
> > /etc/ssl/engines.d to /etc/ssl/engines1.1.d
> And created symbolic links to openssl-3 direcories
> > /etc/ssl/engdef.d -> /etc/ssl/engdef3.d
> > /etc/ssl/engines.d -> /etc/ssl/engines3.d
> 
> So I think we need to add engdef{1.1,3}.d and engines{1.1,3}.d

Thanks, I'll update the profile to hopefully cover all of these new paths.
Comment 4 David Disseldorp 2024-02-06 13:32:17 UTC 
(In reply to Otto Hollmann from comment #2)
> Starting with SLE15-SP6 (ALP and Tumbleweed) we renamed openssl 1.1
> directories
> > /etc/ssl/engdef.d to /etc/ssl/engdef1.1.d
> > /etc/ssl/engines.d to /etc/ssl/engines1.1.d
> And created symbolic links to openssl-3 direcories
> > /etc/ssl/engdef.d -> /etc/ssl/engdef3.d
> > /etc/ssl/engines.d -> /etc/ssl/engines3.d
> 
> So I think we need to add engdef{1.1,3}.d and engines{1.1,3}.d

On TW it's engdef1_1.d and engines1_1.d (note the underscore) so I've submitted it via:
https://gitlab.com/apparmor/apparmor/-/merge_requests/1147

Test feedback would be much appreciated.
Comment 5 Marcus Rückert 2024-02-06 13:54:43 UTC 
the submitrequest to TW that changes "_" to "." is just being reviewed by me. so the 1_1 is deprecated.
Comment 6 David Disseldorp 2024-02-06 23:37:06 UTC 
(In reply to Marcus Rückert from comment #5)
> the submitrequest to TW that changes "_" to "." is just being reviewed by
> me. so the 1_1 is deprecated.

Thanks, I've updated the upstream MR to use a wildcard, following Christian's suggestion. I'll submit for Factory once acked upstream.
Comment 7 David Disseldorp 2024-02-12 00:11:35 UTC 
(In reply to David Disseldorp from comment #6)
> (In reply to Marcus Rückert from comment #5)
> > the submitrequest to TW that changes "_" to "." is just being reviewed by
> > me. so the 1_1 is deprecated.
> 
> Thanks, I've updated the upstream MR to use a wildcard, following
> Christian's suggestion. I'll submit for Factory once acked upstream.

It's merged upstream (thanks Christian). Awaiting downstream ack:
https://build.opensuse.org/request/show/1145034
Comment 8 Christian Boltz 2024-02-16 20:23:05 UTC 
Sorry for the delay.

For the records: changes to the AppArmor package submitted during the last days of the carnival season can take a bit longer ;-)

As someone wrote on the german mailinglist years ago:

    Naja, wer in der bekannten närrischen Zeit an jemanden in einer der
    Karnevalsgegenden mailt, muß damit rechnen, daß seine Mail kaum vor
    Freitag beantwortet wird. Vorher sind die Leute da kaum wieder nüchtern
    und ansprechbar. ;)) [Martin Falley in suse-linux]


SR 1147189 sent to Factory.

For 15.6, SR 1144722 is still open, therefore I'll let you do the submission once it gets accepted in IBS (or now, obsoleting that SR - whatever you prefer).
Comment 9 Christian Boltz 2024-02-16 20:24:25 UTC 
*** Bug 1219401 has been marked as a duplicate of this bug. ***
Comment 10 OBSbugzilla Bot 2024-02-16 20:55:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1219571) was mentioned in
https://build.opensuse.org/request/show/1147189 Factory / apparmor
Comment 11 David Disseldorp 2024-02-18 22:51:01 UTC 
(In reply to Christian Boltz from comment #8)
> Sorry for the delay.

No worries Christian.

> 
> For the records: changes to the AppArmor package submitted during the last
> days of the carnival season can take a bit longer ;-)
> 
> As someone wrote on the german mailinglist years ago:
> 
>     Naja, wer in der bekannten närrischen Zeit an jemanden in einer der
>     Karnevalsgegenden mailt, muß damit rechnen, daß seine Mail kaum vor
>     Freitag beantwortet wird. Vorher sind die Leute da kaum wieder nüchtern
>     und ansprechbar. ;)) [Martin Falley in suse-linux]

:D

> SR 1147189 sent to Factory.
> 
> For 15.6, SR 1144722 is still open, therefore I'll let you do the submission
> once it gets accepted in IBS (or now, obsoleting that SR - whatever you
> prefer).

Thanks!
Comment 13 David Disseldorp 2024-02-19 04:00:33 UTC 
(In reply to Christian Boltz from comment #8)
...
> For 15.6, SR 1144722 is still open, therefore I'll let you do the submission
> once it gets accepted in IBS (or now, obsoleting that SR - whatever you
> prefer).

The SR 1144722 corresponding SLE15-SP6 SR was already merged, so I think it's just a matter of waiting for the 15-SP6 -> 15.6 mirror to kick in (not to sure what kind of magic is responsible for that).

I've submitted this individual fix as a follow-up for 15-SP6 (IBS SR 322063)
Comment 14 David Disseldorp 2024-02-23 00:50:24 UTC 
(In reply to David Disseldorp from comment #13)
...
> The SR 1144722 corresponding SLE15-SP6 SR was already merged, so I think
> it's just a matter of waiting for the 15-SP6 -> 15.6 mirror to kick in (not
> to sure what kind of magic is responsible for that).
> 
> I've submitted this individual fix as a follow-up for 15-SP6 (IBS SR 322063)

Merged.