[Bug 277380] New: no output from aa-unconfined in latest 2.6.21-200.1 HEAD kernel
https://bugzilla.novell.com/show_bug.cgi?id=277380 Summary: no output from aa-unconfined in latest 2.6.21-200.1 HEAD kernel Product: openSUSE 10.2 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: dreynolds@novell.com ReportedBy: joe_morris@ntm.org QAContact: dreynolds@novell.com According to the Changelog, there were some updates to the apparmor module. With 2.6.21-87 there is normal output from aa-unconfined, but with the latest 2.6.21-200.1 there is NO output at all. I don't think that is correct. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 seth.arnold@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|dreynolds@novell.com |seth.arnold@novell.com Status|NEW |ASSIGNED ------- Comment #1 from seth.arnold@novell.com 2007-05-23 12:53 MST ------- Joe, to make sure, were you using aa-unconfined in an unconfined root shell? aa-unconfined relies on the netstat -p output to function, and that requires unconfined root. Can you paste output of aa-unconfined as well as (if you don't mind) netstat -nlp? Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #2 from joe_morris@ntm.org 2007-05-23 16:35 MST ------- joe@jmorris:~> su Password: jmorris:/home/joe # aa-unconfined jmorris:/home/joe # netstat -nlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:465 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:5426 0.0.0.0:* LISTEN - tcp 0 0 192.168.1.2:53 0.0.0.0:* LISTEN - tcp 0 0 192.168.10.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN - tcp 0 0 ::1:10025 :::* LISTEN - tcp 0 0 :::873 :::* LISTEN - tcp 0 0 ::1:465 :::* LISTEN - tcp 0 0 :::22 :::* LISTEN - tcp 0 0 :::631 :::* LISTEN - tcp 0 0 ::1:25 :::* LISTEN - udp 0 0 0.0.0.0:32768 0.0.0.0:* - udp 0 0 0.0.0.0:1026 0.0.0.0:* - udp 0 0 127.0.0.1:32798 0.0.0.0:* - udp 0 0 0.0.0.0:5426 0.0.0.0:* - udp 0 0 192.168.1.2:53 0.0.0.0:* - udp 0 0 192.168.10.1:53 0.0.0.0:* - udp 0 0 127.0.0.1:53 0.0.0.0:* - udp 0 0 0.0.0.0:67 0.0.0.0:* - udp 0 0 0.0.0.0:111 0.0.0.0:* - udp 0 0 0.0.0.0:631 0.0.0.0:* - udp 0 0 192.168.1.2:123 0.0.0.0:* - udp 0 0 192.168.10.1:123 0.0.0.0:* - udp 0 0 127.0.0.1:123 0.0.0.0:* - udp 0 0 0.0.0.0:123 0.0.0.0:* - udp 0 0 :::32769 :::* - udp 0 0 fe80::216:17ff:fe8c:123 :::* - udp 0 0 ::1:123 :::* - udp 0 0 :::123 :::* - raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 13442 - /tmp/gpg-Zh3sOV/S.gpg-agent unix 2 [ ACC ] STREAM LISTENING 13445 - /tmp/ssh-hnNJw4369/agent.4369 unix 2 [ ACC ] STREAM LISTENING 13238 - /var/spool/amavis/amavisd.sock unix 2 [ ACC ] STREAM LISTENING 15379 - public/cleanup unix 2 [ ACC ] STREAM LISTENING 14240 - /var/run/nscd/socket unix 2 [ ACC ] STREAM LISTENING 15386 - private/tlsmgr unix 2 [ ACC ] STREAM LISTENING 15390 - private/rewrite unix 2 [ ACC ] STREAM LISTENING 15394 - private/bounce unix 2 [ ACC ] STREAM LISTENING 15398 - private/defer unix 2 [ ACC ] STREAM LISTENING 15402 - private/trace unix 2 [ ACC ] STREAM LISTENING 15406 - private/verify unix 2 [ ACC ] STREAM LISTENING 15410 - public/flush unix 2 [ ACC ] STREAM LISTENING 15414 - private/proxymap unix 2 [ ACC ] STREAM LISTENING 15418 - private/smtp unix 2 [ ACC ] STREAM LISTENING 15422 - private/relay unix 2 [ ACC ] STREAM LISTENING 15426 - public/showq unix 2 [ ACC ] STREAM LISTENING 15430 - private/error unix 2 [ ACC ] STREAM LISTENING 15434 - private/discard unix 2 [ ACC ] STREAM LISTENING 15438 - private/local unix 2 [ ACC ] STREAM LISTENING 15442 - private/virtual unix 2 [ ACC ] STREAM LISTENING 15446 - private/lmtp unix 2 [ ACC ] STREAM LISTENING 15450 - private/anvil unix 2 [ ACC ] STREAM LISTENING 10910 - /var/run/xdmctl/dmctl/socket unix 2 [ ACC ] STREAM LISTENING 15473 - private/scache unix 2 [ ACC ] STREAM LISTENING 15477 - private/maildrop unix 2 [ ACC ] STREAM LISTENING 15481 - private/cyrus unix 2 [ ACC ] STREAM LISTENING 16154 - /home/joe/.beagle/socket unix 2 [ ACC ] STREAM LISTENING 15485 - private/uucp unix 2 [ ACC ] STREAM LISTENING 31005 - /tmp/ksocket-joe/kdesud_:0 unix 2 [ ACC ] STREAM LISTENING 15489 - private/ifmail unix 2 [ ACC ] STREAM LISTENING 11075 - /var/run/xdmctl/dmctl-:0/socket unix 2 [ ACC ] STREAM LISTENING 15493 - private/bsmtp unix 2 [ ACC ] STREAM LISTENING 15497 - private/procmail unix 2 [ ACC ] STREAM LISTENING 20368 - /var/lib/clamav/clamd-socket unix 2 [ ACC ] STREAM LISTENING 38780 - /tmp/orbit-joe/linc-21ae-0-fcf244e9f938 unix 2 [ ACC ] STREAM LISTENING 38832 - /tmp/orbit-joe/linc-20ac-0-75ed4ac0c4b48 unix 2 [ ACC ] STREAM LISTENING 11041 - /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 9062 - /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 13650 - /tmp/.ICE-unix/4477 unix 2 [ ACC ] STREAM LISTENING 10484 - @/var/run/hald/dbus-c5zPmGQwBU unix 2 [ ACC ] STREAM LISTENING 13510 - /tmp/ksocket-joe/kdeinit__0 unix 2 [ ACC ] STREAM LISTENING 9029 - /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 9177 - /var/run/.resmgr_socket unix 2 [ ACC ] STREAM LISTENING 10485 - @/var/run/hald/dbus-cADoqbyZmY unix 2 [ ACC ] STREAM LISTENING 13512 - /tmp/ksocket-joe/kdeinit-:0 unix 2 [ ACC ] STREAM LISTENING 13546 - /tmp/ksocket-joe/klauncher72usFa.slave-socket unix 2 [ ACC ] STREAM LISTENING 13462 - @/tmp/dbus-n0PRoiUkHs unix 2 [ ACC ] STREAM LISTENING 13926 - /var/run/cups/cups.sock unix 2 [ ACC ] STREAM LISTENING 13523 - /tmp/.ICE-unix/dcop4465-1179959028 jmorris:/home/joe # uname -a Linux jmorris 2.6.21-200-default #1 SMP Fri May 18 14:32:06 UTC 2007 x86_64 x86_64 x86_64 GNU/Linux jmorris:/home/joe # cat /etc/SuSE-release openSUSE 10.2 (X86-64) VERSION = 10.2 jmorris:/home/joe # cat /sys/kernel/security/apparmor/profiles /usr/sbin/xinetd (enforce) /usr/sbin/traceroute (enforce) /usr/sbin/sshd (enforce) /usr/sbin/sendmail.postfix (enforce) /usr/sbin/sendmail (enforce) /usr/sbin/rsyncd (enforce) /usr/sbin/postqueue (enforce) /usr/sbin/postmap (enforce) /usr/sbin/postdrop (enforce) /usr/sbin/postalias (enforce) /usr/sbin/ntpd (enforce) /usr/sbin/nscd (enforce) /usr/sbin/named (enforce) /usr/sbin/mdnsd (enforce) /usr/sbin/ipop3d (enforce) /usr/sbin/imapd (enforce) /usr/sbin/identd (enforce) /usr/sbin/hpiod (enforce) /usr/sbin/dhcpd (enforce) /usr/sbin/cupsd (enforce) /usr/sbin/clamd (enforce) /usr/sbin/amavisd (complain) /usr/lib/postfix/virtual (enforce) /usr/lib/postfix/verify (enforce) /usr/lib/postfix/trivial-rewrite (enforce) /usr/lib/postfix/tlsmgr (enforce) /usr/lib/postfix/spawn (enforce) /usr/lib/postfix/smtpd (enforce) /usr/lib/postfix/smtp (enforce) /usr/lib/postfix/showq (enforce) /usr/lib/postfix/scache (enforce) /usr/lib/postfix/qmqpd (enforce) /usr/lib/postfix/qmgr (complain) /usr/lib/postfix/proxymap (enforce) /usr/lib/postfix/pipe (enforce) /usr/lib/postfix/pickup (enforce) /usr/lib/postfix/oqmgr (enforce) /usr/lib/postfix/nqmgr (enforce) /usr/lib/postfix/master (enforce) /usr/lib/postfix/local (enforce) /usr/lib/postfix/lmtp (enforce) /usr/lib/postfix/flush (enforce) /usr/lib/postfix/error (enforce) /usr/lib/postfix/discard (enforce) /usr/lib/postfix/cleanup (enforce) /usr/lib/postfix/bounce (enforce) /usr/lib/postfix/anvil (enforce) /usr/lib/AntiVir/antivir (complain) /usr/bin/skype (enforce) /usr/bin/python2.5 (enforce) /usr/bin/procmail (enforce) /usr/bin/freshclam (enforce) /usr/X11R6/bin/acroread (enforce) /sbin/syslogd (enforce) /sbin/syslog-ng (enforce) /sbin/portmap (enforce) /sbin/klogd (enforce) /bin/ping (enforce) Yes, I am pretty sure this is from an unconfined root shell. As I mentioned, it worked until I updated to 2.6.21-200. Previous to that, I ran 2.6.21-87. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #3 from joe_morris@ntm.org 2007-05-23 18:31 MST ------- Sorry, I just realized I reported against the 2.6.21-200.1 kernel. I should has specified the 2.6.21-200 kernel. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #4 from sbeattie@novell.com 2007-05-23 20:38 MST ------- Something appears to be borked with the netstat/kernel interface there; none of the PID/Program Name pairs are getting reported. For example, the line for portmap (port 111) should look something like (format compressed to fit bugzilla line limitations): Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3839/portmap Can you post the contents of /proc/net/tcp and do an ls -l on /proc/<pid>/fd/ for the pid of your portmap daemon (as an example, feel free to post others). I wonder if the layout or contents of some of the /proc files (what netstat uses to collect its information) has changed in a way that's causing netstat to be unable to do the mapping from sockets to processes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #5 from sbeattie@novell.com 2007-05-23 20:42 MST ------- Oh, another thing you might try; to verify that the apparmor interface that unconfined is working and that netstat is the problem, can you do: aa-unconfined --paranoid That will report the confined or unconfined state of every process on the system. If that's still working, then that's more confirmation that the problem lies in how netstat is querying the kernel. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #6 from joe_morris@ntm.org 2007-05-24 04:14 MST ------- Ok, --paranoid seemed to work. Must be a netstat/kernel problem affecting it. joe@jmorris:~> su Password: jmorris:/home/joe # aa-unconfined --paranoid 1 /sbin/init not confined 982 /sbin/udevd not confined 2967 /sbin/acpid not confined 2994 /sbin/syslog-ng confined by '/sbin/syslog-ng (enforce)' 2995 /usr/bin/dbus-daemon not confined 2998 /sbin/klogd confined by '/sbin/klogd (enforce)' 3010 /usr/sbin/hpiod confined by '/usr/sbin/hpiod (enforce)' 3014 /usr/bin/python2.5 confined by '/usr/bin/python2.5 (enforce)' 3043 /sbin/resmgrd not confined 3346 /usr/sbin/polkitd not confined 3389 /opt/kde3/bin/kdm not confined 3406 /usr/sbin/hald not confined 3407 /usr/lib64/hal/hald-runner not confined 3421 /usr/bin/Xorg not confined 3532 /opt/kde3/bin/kdm not confined 3574 /usr/lib64/hal/hald-addon-cpufreq not confined 3591 /usr/lib64/hal/hald-addon-acpi not confined 3593 /usr/lib64/hal/hald-addon-keyboard not confined 3664 /usr/lib64/hal/hald-addon-keyboard not confined 3667 /usr/lib64/hal/hald-addon-keyboard not confined 3752 /usr/lib64/hal/hald-addon-storage not confined 3754 /usr/lib64/hal/hald-addon-storage not confined 3756 /usr/lib64/hal/hald-addon-storage not confined 3758 /usr/lib64/hal/hald-addon-storage not confined 3760 /usr/lib64/hal/hald-addon-storage not confined 3762 /usr/lib64/hal/hald-addon-storage not confined 4024 /sbin/auditd not confined 4048 /sbin/portmap confined by '/sbin/portmap (enforce)' 4125 /usr/sbin/clamd confined by '/usr/sbin/clamd (enforce)' 4178 /usr/sbin/smartd not confined 4212 /usr/sbin/powersaved not confined 4262 /usr/sbin/sshd confined by '/usr/sbin/sshd (enforce)' 4296 /usr/bin/perl (/usr/bin/perl -w /usr/sbin/aa-eventd -p /var/run/aa-eventd.pid) not confined 4337 /usr/sbin/named confined by '/usr/sbin/named (enforce)' 4350 /usr/bin/perl (amavisd (master)) confined by '/usr/sbin/amavisd (complain)' 4367 /usr/bin/perl (amavisd (virgin child)) confined by '/usr/sbin/amavisd (complain)' 4368 /usr/bin/perl (amavisd (virgin child)) confined by '/usr/sbin/amavisd (complain)' 4375 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)' 4389 /usr/sbin/cupsd confined by '/usr/sbin/cupsd (enforce)' 4417 /usr/sbin/dhcpd confined by '/usr/sbin/dhcpd (enforce)' 4430 /usr/sbin/nscd confined by '/usr/sbin/nscd (enforce)' 4448 /usr/sbin/rsyncd confined by '/usr/sbin/rsyncd (enforce)' 4504 /usr/lib/postfix/master confined by '/usr/lib/postfix/master (enforce)' 4505 /usr/lib/postfix/pickup confined by '/usr/lib/postfix/pickup (enforce)' 4506 /usr/lib/postfix/qmgr confined by '/usr/lib/postfix/qmgr (complain)' 4539 /usr/sbin/cron not confined 4551 /sbin/mdadm not confined 4563 /usr/sbin/xinetd confined by '/usr/sbin/xinetd (enforce)' 4930 /sbin/mingetty not confined 4934 /sbin/mingetty not confined 4938 /sbin/mingetty not confined 4940 /sbin/mingetty not confined 4942 /sbin/mingetty not confined 4949 /sbin/mingetty not confined 5001 /bin/bash (/bin/sh /usr/bin/kde) not confined 5045 /usr/bin/gpg-agent not confined 5046 /usr/bin/ssh-agent not confined 5052 /usr/bin/dbus-daemon not confined 5093 /opt/kde3/bin/start_kdeinit not confined 5094 /opt/kde3/bin/kdeinit not confined 5097 /opt/kde3/bin/kdeinit not confined 5099 /opt/kde3/bin/kdeinit not confined 5101 /opt/kde3/bin/kdeinit not confined 5106 /opt/kde3/bin/kwrapper not confined 5108 /opt/kde3/bin/kdeinit not confined 5110 /opt/kde3/bin/kdeinit not confined 5115 /opt/kde3/bin/kdeinit not confined 5117 /opt/kde3/bin/kdeinit not confined 5118 /opt/kde3/bin/kdeinit not confined 5120 /opt/kde3/bin/kweatherservice not confined 5186 /opt/kde3/bin/kalarmd not confined 5187 /opt/kde3/bin/kdeinit not confined 5198 /usr/bin/mono not confined 5205 /opt/kde3/bin/korgac not confined 5206 /opt/kde3/bin/kdeinit not confined 5209 /opt/kde3/bin/kopete not confined 5210 /opt/kde3/bin/opensuseupdater not confined 5219 /opt/kde3/bin/kdeinit not confined 5222 /opt/kde3/bin/kgpg not confined 5223 /opt/kde3/bin/ksensors not confined 5227 /opt/kde3/bin/kdeinit not confined 5228 /opt/kde3/bin/ktail not confined 5240 /opt/kde3/bin/kamix not confined 5241 /usr/bin/skype confined by '/usr/bin/skype (enforce)' 5247 /bin/bash (/bin/sh /usr/bin/thunderbird) not confined 5249 /usr/lib64/thunderbird/thunderbird-bin not confined 5398 /opt/gnome/lib/GConf/2/gconfd-2 not confined 7214 /usr/bin/mono not confined 8304 /bin/bash (/bin/sh /usr/bin/firefox) not confined 8319 /usr/lib/firefox/firefox-bin not confined 9801 /opt/kde3/bin/kdeinit not confined 9805 /bin/bash (/bin/bash) not confined 9826 /bin/su not confined 9841 /bin/bash (bash) not confined 9897 /usr/bin/perl (/usr/bin/perl -w /usr/sbin/aa-unconfined --paranoid) not confined jmorris:/home/joe # cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 0100007F:08A0 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 8630 1 ffff810078c5f900 750 0 0 2 -1 1: 00000000:03E3 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13642 1 ffff810060bae180 750 0 0 2 -1 2: 00000000:0385 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13643 1 ffff8100607df9c0 750 0 0 2 -1 3: 0100007F:2728 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 12741 1 ffff81006ab7c140 750 0 0 2 -1 4: 0100007F:2729 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13343 1 ffff810060baed80 750 0 0 2 -1 5: 00000000:0369 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13074 1 ffff81006ab7cd40 750 0 0 2 -1 6: 0100007F:0CEE 00000000:0000 0A 00000000:00000000 00:00000000 00000000 65 0 13628 1 ffff810060bae780 750 0 0 2 -1 7: 00000000:006F 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 11927 1 ffff810078c5e100 750 0 0 2 -1 8: 0100007F:01D1 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13246 1 ffff810060baf380 750 0 0 2 -1 9: 00000000:1532 00000000:0000 0A 00000000:00000000 00:00000000 00000000 1000 0 17160 1 ffff8100607df3c0 750 0 0 2 -1 10: 0201A8C0:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000 44 0 12706 1 ffff81006ab7d940 750 0 0 2 -1 11: 010AA8C0:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000 44 0 12704 1 ffff810078c5e700 750 0 0 2 -1 12: 0100007F:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000 44 0 12702 1 ffff810078c5ed00 750 0 0 2 -1 13: 00000000:0277 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13038 1 ffff81006ab7c740 750 0 0 2 -1 14: 0100007F:0019 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13237 1 ffff810060baf980 750 0 0 2 -1 15: 0100007F:03B9 00000000:0000 0A 00000000:00000000 00:00000000 00000000 44 0 12709 1 ffff81006ab7d340 750 0 0 2 -1 16: 0100007F:089F 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 8641 1 ffff810078c5f300 750 0 0 2 -1 17: 0201A8C0:4EF0 B291B918:EB13 01 00000000:00000000 00:00000000 00000000 1000 0 43518 1 ffff81005ad1f280 170 10 22 2 -1 18: 0201A8C0:2BE0 5FFD0E48:0050 01 00000000:00000000 00:00000000 00000000 1000 0 60997 1 ffff81004f478cc0 174 10 4 2 -1 You have new mail in /var/spool/mail/joe jmorris:/home/joe # ps aux | grep portmap nobody 4048 0.0 0.0 7860 468 ? Ss 17:33 0:00 /sbin/portmap root 13006 0.0 0.0 5000 776 pts/0 R+ 18:04 0:00 grep portmap jmorris:/home/joe # ls -l /proc/4048/fd/ total 0 lrwx------ 1 root root 64 2007-05-24 17:34 0 -> /dev/null lrwx------ 1 root root 64 2007-05-24 17:34 1 -> /dev/null lrwx------ 1 root root 64 2007-05-24 17:34 2 -> /dev/null lrwx------ 1 root root 64 2007-05-24 17:34 3 -> /socket:[11926] lrwx------ 1 root root 64 2007-05-24 17:34 4 -> /socket:[11927] jmorris:/home/joe # ps aux | grep amavis vscan 4350 0.0 3.5 169624 73904 ? Ss 17:33 0:00 amavisd (master) vscan 4367 0.0 3.5 170808 72916 ? S 17:33 0:00 amavisd (virgin child) vscan 4368 0.0 3.5 170808 72912 ? S 17:33 0:00 amavisd (virgin child) root 14601 0.0 0.0 4996 776 pts/0 R+ 18:12 0:00 grep amavis jmorris:/home/joe # ls -l /proc/4350/fd/ total 0 lr-x------ 1 root root 64 2007-05-24 17:34 0 -> /dev/null l-wx------ 1 root root 64 2007-05-24 17:34 1 -> /dev/null l-wx------ 1 root root 64 2007-05-24 17:34 2 -> /dev/null lrwx------ 1 root root 64 2007-05-24 17:34 3 -> /socket:[12718] lrwx------ 1 root root 64 2007-05-24 17:34 4 -> /socket:[12739] lrwx------ 1 root root 64 2007-05-24 17:34 5 -> /socket:[12741] jmorris:/home/joe # ls -l /proc/4367/fd/ total 0 lr-x------ 1 root root 64 2007-05-24 17:34 0 -> /dev/null l-wx------ 1 root root 64 2007-05-24 17:34 1 -> /dev/null l-wx------ 1 root root 64 2007-05-24 17:34 10 -> /var/spool/amavis/amavisd.lock l-wx------ 1 root root 64 2007-05-24 17:34 2 -> /dev/null lrwx------ 1 root root 64 2007-05-24 17:34 3 -> /socket:[12781] lrwx------ 1 root root 64 2007-05-24 17:34 4 -> /socket:[12739] lrwx------ 1 root root 64 2007-05-24 17:34 5 -> /socket:[12741] lrwx------ 1 root root 64 2007-05-24 17:34 6 -> /var/spool/amavis/db/snmp.db lrwx------ 1 root root 64 2007-05-24 17:34 7 -> /var/spool/amavis/db/nanny.db lrwx------ 1 root root 64 2007-05-24 17:34 8 -> /var/spool/amavis/db/cache.db lrwx------ 1 root root 64 2007-05-24 17:34 9 -> /var/spool/amavis/db/cache-expiry.db jmorris:/home/joe # ls -l /proc/4368/fd/ total 0 lr-x------ 1 root root 64 2007-05-24 17:34 0 -> /dev/null l-wx------ 1 root root 64 2007-05-24 17:34 1 -> /dev/null l-wx------ 1 root root 64 2007-05-24 17:34 10 -> /var/spool/amavis/amavisd.lock l-wx------ 1 root root 64 2007-05-24 17:34 2 -> /dev/null lrwx------ 1 root root 64 2007-05-24 17:34 3 -> /socket:[12782] lrwx------ 1 root root 64 2007-05-24 17:34 4 -> /socket:[12739] lrwx------ 1 root root 64 2007-05-24 17:34 5 -> /socket:[12741] lrwx------ 1 root root 64 2007-05-24 17:34 6 -> /var/spool/amavis/db/snmp.db lrwx------ 1 root root 64 2007-05-24 17:34 7 -> /var/spool/amavis/db/nanny.db lrwx------ 1 root root 64 2007-05-24 17:34 8 -> /var/spool/amavis/db/cache.db lrwx------ 1 root root 64 2007-05-24 17:34 9 -> /var/spool/amavis/db/cache-expiry.db -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #7 from joe_morris@ntm.org 2007-05-24 05:22 MST ------- I did some additional checking. I had installed the 2.6.21-200.1 kernel. The following are the difference in the Changelog from the 2.6.21-87 kernel where this worked. Since most patches seem to have been for ppc, the only pertinent change seems to be the AppArmor patchset. * Fri May 18 2007 olh@suse.de - build IDE cmd64x as module on ppc to allow libata cmd64x enable libata ahci, sil24, jmicron and SIL680 * Thu May 17 2007 gregkh@suse.de - enable CONFIG_TIMER_STATS in debug config files so that people can play with powertop and figure out how broken userspace really is (275362) * Mon May 14 2007 olh@suse.de - add patches.arch/ppc-ps3-gelic-module-link.patch add patches.arch/ppc-ps3-storage-module-link.patch provide driver module symlinks (273135) * Fri May 11 2007 agruen@suse.de - Add the /lib/modules/*/{source,build} symlinks to the kernel-source and kernel-syms packages, so that kmps which look in these places will succeed. * Fri May 11 2007 olh@suse.de - add patches.arch/ppc-ps3-sys-manager-fix-reboot.patch make reboot/shutdown reliable * Thu May 10 2007 agruen@suse.de - Update the AppArmor patchset. * Tue May 08 2007 olh@suse.de - update patches.arch/ppc-pci-hostbridge-window.patch improved fix from Paul * Mon May 07 2007 olh@suse.de - add patches.arch/ppc-pci-hostbridge-window.patch cope with PCI host bridge I/O window not starting at 0 (271689 - LTC34416) * Mon May 07 2007 olh@suse.de - reenable dv1394, it is maybe still needed by some applications -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #8 from joe_morris@ntm.org 2007-05-24 07:51 MST ------- I would assume this is related, but I cannot get it to profile antivir at all. I see info in the auditd.log like this, type=APPARMOR msg=audit(1180010238.110:3615): PERMITTING r access to /usr/lib/locale/en_US.utf8/LC_CTYPE (11395 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010238.110:3616): PERMITTING r access to /usr/lib/locale/en_US.utf8/LC_CTYPE (11395 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010238.110:3617): PERMITTING rw access to /dev/null (11395 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010238.110:3618): PERMITTING r access to /etc/mtab (11395 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010238.110:3619): PERMITTING r access to /tmp/antivir_5753_309574583/download/antivir (11384 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.766:3620): PERMITTING x access to /bin/rm (5753 profile /usr/lib/AntiVir/antivir active /usr/lib/AntiVir/antivir) type=APPARMOR msg=audit(1180010252.766:3621): PERMITTING x access to /bin/rm (11438 profile /usr/lib/AntiVir/antivir active /usr/lib/AntiVir/antivir) type=APPARMOR msg=audit(1180010252.766:3622): LOGPROF-HINT changing_profile (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.766:3623): PERMITTING r access to /bin/rm (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.766:3624): PERMITTING r access to /bin/rm (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.766:3625): PERMITTING r access to /bin/rm (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.766:3626): PERMITTING x access to /lib64/ld-2.5.so (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.766:3627): PERMITTING r access to /lib64/ld-2.5.so (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3628): PERMITTING r access to /bin/rm (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3629): PERMITTING mr access to /bin/rm (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3630): PERMITTING r access to /bin/rm (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3631): PERMITTING mr access to /lib64/ld-2.5.so (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3632): PERMITTING r access to /lib64/ld-2.5.so (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3633): PERMITTING r access to /etc/ld.so.cache (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3634): PERMITTING r access to /etc/ld.so.cache (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3635): PERMITTING r access to /lib64/libc-2.5.so (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3636): PERMITTING mr access to /lib64/libc-2.5.so (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3637): PERMITTING r access to /lib64/libc-2.5.so (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3638): PERMITTING r access to /lib64/libc-2.5.so (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3639): PERMITTING r access to /usr/share/locale/locale.alias (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3640): PERMITTING r access to /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION (11438 profile null-complain-profile active null-complain-profile) type=APPARMOR msg=audit(1180010252.770:3641): PERMITTING r access to /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION (11438 profile null-complain-profile active null-complain-profile) but aa-logprof has no output, i.e. jmorris:/home/joe # aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Complain-mode changes: jmorris:/home/joe # I don't even see a null-complain-profile. I have tried deleting it and regenerating it to no avail. I know I did it at work where I am running the 2.6.21-87 kernel. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #9 from joe_morris@ntm.org 2007-05-24 17:06 MST ------- I tried reinstalling the 2.6.21-87 kernel, and was able to profile antivir, and of course aa-unconfined works with this kernel as well. I still think there was something introduced in the AppArmor patches on May 10. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #10 from jjohansen@novell.com 2007-05-24 18:38 MST ------- (In reply to comment #9)
I tried reinstalling the 2.6.21-87 kernel, and was able to profile antivir, and of course aa-unconfined works with this kernel as well. I still think there was something introduced in the AppArmor patches on May 10.
It is possible that the AppArmor patches broke something in the /proc interface and we are looking into it. However the not being able to profile applications is a known problem. The May 10 release of the AppArmor kernel code has changes to the message format that break logprof/genprof and the utils packages need to be updated before the tools can be used to generate new policy (perhaps we should file a bug on this). The parser and enforcement of generated policy should still work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #11 from joe_morris@ntm.org 2007-05-25 07:23 MST ------- That makes sense. I was confused why antivir (new profile) would not update, but amavisd (old profile) would be able to update. Very confusing. I will continue to run 2.6.21-87 and keep checking the later kernels to see if there is any apparmor fixes applied to test. I was hoping to provide feedback on what I assume will become the 10.3 kernel. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380 ------- Comment #12 from joe_morris@ntm.org 2007-05-26 06:15 MST ------- Not positive which made the difference. I just installed an updated apparmor-docs and apparmor-parser to the newest from steve beattie home for 10.2 apparmor-docs-2.0.1-238.1 apparmor-parser-2.0.2-698.1 and also since I saw several fixes for apparmor in the latest HEAD 10.2 kernel, I also updated to the latest (for testing- this is at home). jmorris:/home/joe # rpm -qa | grep kernel linux-kernel-headers-2.6.18.2-3 kernel-default-2.6.22_rc2_git7-20.1 kernel-source-2.6.22_rc2_git7-20.1 kernel-syms-2.6.22_rc2_git7-20.1 and aa-unconfined works again. Since that was what I was reporting, and with this latest kernel it is working again, this could be closed IMO. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277380#c13
Seth Arnold
participants (1)
-
bugzilla_noreply@novell.com