Bugzilla – Bug 510740
/lib/apparmor/rc.apparmor.functions: line 435: echo: write error: No such file or directory
Last modified: 2016-04-15 09:40:34 UTC
rcapparmor reload causes an error message on openSUSE 11.1: # rcapparmor reload Reloading AppArmor profiles done /lib/apparmor/rc.apparmor.functions: line 435: echo: write error: No such file or directory
Do you recall if that happened every time or just occasionally? The only way that can happen is if /sys/kernel/security/apparmor isn't mounted.
I just tested this on three 11.1 servers - two (always) show the error message on a "rcapparmor restart", the other never does (tested 5 times on each server to be sure it happens every time). /sys/kernel/security is mounted on all servers - this probably means there _is_ another way that causes this error message ;-) Thinking about it, the two servers that show the error message share nearly the same set of profiles. I just addded some debugging code and found out it only happens on my /usr/lib/postfix/local profile. /usr/lib/postfix/local { #include <abstractions/base> [...] profile "^/usr/lib/postfix/local " { /usr/lib/mailman/mail/mailman Px, } } Needless to say that this sub-profile looks a bit strange. I especially wonder about the space at the end of the name. (The question why this sub-profile exists at all is another issue, but I have no idea about this.) After running "rcapparmor stop", the strange subprofile is still loaded: # cat /sys/kernel/security/apparmor/profiles /usr/lib/postfix/local//^/usr/lib/postfix/local (enforce) The script echo's "/usr/lib/postfix/local//^/usr/lib/postfix/local" (without space!) to /sys/kernel/security/apparmor/.remove I just verified that this really causes the error message by removing the sub-profile and calling echo -n '/usr/lib/postfix/local//^/usr/lib/postfix/local ' > /sys/kernel/security/apparmor/.remove Now rcapparmor restart works without the error message. -> the space must be lost somewhere - maybe there's variable quoting missing somewhere in the script.
some more debugging: the file $MODULE_PLIST contains the space. This means the space must be lost in this line: sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do comm worked fine on some test files, therefore I googled for "bash read space" and found http://dbaspot.com/forums/shell/372688-bash-read-string-preceding-trailing-space-oddity.html The solution is to unset $IFS in /lib/apparmor/rc.apparmor.functions line 434: - sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do + sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do # ignore the line break in bugzilla Please apply this fix to the rc.apparmor.functions script. BTW: You'll get the "No such file or directory" message if you try to remove a profile that is not loaded (or doesn't exist). Try yourself: echo '/does/not_exist' > /sys/kernel/security/apparmor/.remove
Great! Thanks for the debugging effort. I'll work this into the package tomorrow morning.
I've committed this fix to the security:apparmor:factory and will backport the fix to the various products later tonight.
I've submitted fixes for SLE11 SP1 and openSUSE 11.2. openSUSE 11.1 is out of scope. Anja, I have three fixes queued up for apparmor-parser. SR 34867
ok, we so kind and submit a patchinfo for 11.2; swampID: 32010
The SWAMPID for this issue is 32010. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/32010)
Update released for: apparmor-parser, apparmor-parser-debuginfo, apparmor-parser-debugsource, apparmor-utils Products: openSUSE 11.2 (debug, i586, x86_64)
Unfortunately this fix was lost again in 11.3 :-( A update just for this would be exaggeratedly, but you should include it if you ever release an update for apparmor-parser on 11.3. More important: The 2.5.1 packages in security:apparmor also miss this fix - please apply the fix from comment #3 there!
I'm replaced line 434 /lib/apparmor/rc.apparmor.functions on + sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do # ignore the line break in bugzilla but now i see new error: > sudo /etc/init.d/boot.apparmor start /lib/apparmor/rc.apparmor.functions: line 439: syntax error near unexpected token `;' /lib/apparmor/rc.apparmor.functions: line 439: ` ; do # ignore the line break in bugzilla' /lib/apparmor/rc.apparmor.functions: line 345: configure_owlsm: command not found Loading AppArmor profiles done done What's wrong? P.S.: openSUSE 11.3 > susepaste /lib/apparmor/rc.apparmor.functions Pasted as: http://susepaste.org/57531528
(In reply to comment #11) > I'm replaced line 434 /lib/apparmor/rc.apparmor.functions on > + sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile > ; do # ignore the line break in bugzilla > > but now i see new error: ... > What's wrong? The line has to be: sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do It looks like you did something wrong, maybe you added a linebreak in front of the ";" or you accidently included the "+" when copying the line. > http://susepaste.org/57531528 gives me a "404 not found" :-(
(In reply to comment #12) You are right. Thanks. >> http://susepaste.org/57531528 >gives me a "404 not found" :-( Yeah, me too. :)
Ok, thanks for the update. I've fixed this in the apparmor package in security:apparmor:factory and in the apparmor-parser package for openSUSE 11.3. I'll submit it to maintenance after I check to see if there are any other pending apparmor-parser reports for 11.3.
openSUSE 11.3 SR 54281
looks good +1
The SWAMPID for this issue is 37584. This issue was rated as low. Please submit fixed packages until 2010-12-31. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/37584
update started ... be so kind and add a patchinfo.
Looks like this was released w/o a patch info. Sorry for dragging my feet on that.
VERIFIED on 11.3 VERIFIED in apparmor-parser-2.5.1 from security:apparmor - which hopefully arrives in Factory soon (I've seen the mail about the pending SR on opensuse-factory)
This is an autogenerated message for OBS integration: This bug (510740) was mentioned in https://build.opensuse.org/request/show/34867 11.2:Test / apparmor-parser https://build.opensuse.org/request/show/54281 11.3:Test / apparmor-parser https://build.opensuse.org/request/show/57759 11.2:Test / apparmor-parser