[Bug 561152] New: root cause seems to prevent dhclient from opening /proc/net/dev
http://bugzilla.novell.com/show_bug.cgi?id=561152 http://bugzilla.novell.com/show_bug.cgi?id=561152#c0 Summary: root cause seems to prevent dhclient from opening /proc/net/dev Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: estellnb@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) SUSE
strace dhclient 2>&1 | grep /proc/net/dev open("/proc/net/dev", O_RDONLY) = -1 EACCES (Permission denied) write(2, "/proc/net/dev: Permission denied", 32/proc/net/dev: Permission denied) = 32 ls -l /proc/net/dev -r--r--r-- 1 root root 0 5. Dez 21:00 /proc/net/dev python
x=os.open("/proc/net/dev",os.O_RDONLY) os.read(x,100) 'Inter-| Receive | Transmit\n face |bytes packets' os.close(x)
So why does it refuse dhclient to open /proc/net/dev if the same is granted to python?
uname -r 2.6.32-2.99.116.e1d7581-desktop
Reproducible: Always -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=561152
http://bugzilla.novell.com/show_bug.cgi?id=561152#c1
Jeff Mahoney
http://bugzilla.novell.com/show_bug.cgi?id=561152
http://bugzilla.novell.com/show_bug.cgi?id=561152#c2
Elmar Stellnberger
http://bugzilla.novell.com/show_bug.cgi?id=561152
http://bugzilla.novell.com/show_bug.cgi?id=561152#c3
--- Comment #3 from Elmar Stellnberger
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c4
--- Comment #4 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c5
--- Comment #5 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c6
--- Comment #6 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c7
--- Comment #7 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c8
--- Comment #8 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c9
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c10
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c11
Elmar Stellnberger
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c12
--- Comment #12 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c13
--- Comment #13 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c14
Elmar Stellnberger
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c15
--- Comment #15 from Elmar Stellnberger
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c16
--- Comment #16 from Elmar Stellnberger
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c17
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c18
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c19
--- Comment #19 from Elmar Stellnberger
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c20
Christian Boltz
I believe we should have disabled all the apparmor profiles that don`t work for the 11.4 release by default.
Every program that can be configured by the user won't fit then because you'll always find a config that needs to access another file... Well, maybe except /bin/false and /bin/true ;-) As long as the profile fits at least 95% of the users, I'd say we should keep it.
Perhaps we find someone who can reliably test through all of them.
See above - the problems are often caused by configuration changes. Therefore I'd say heavy users of $program (who also change the config a lot) are the best testers. This also means you won't find one person that can test all profiles.
Let auditd mirror all apparmor access denial messages to the console where the program runs by default.
Interesing idea.
To me personally if I consider it again approaching to deploy SELinux does also become increasingly interesting since it now offers protection for Xorg which Apparmor does not. An in deed curcial component on every graph. desktop system. We don`t have the resources to extend Apparmor as far as this; do we?.
That's something you should ask on the apparmor@lists.ubuntu.com mailinglist where all the AppArmor developers are. (subscribe at https://lists.ubuntu.com/mailman/listinfo/apparmor ) AFAIK Jeff is the only one @Novell who works on AppArmor (beside many other things), and in the openSUSE community there isn't too much activity regarding AppArmor. Well, at least I maintain the vim syntax highlighting for the profiles and sometimes comment on planned changes on the AppArmor mailinglist - but trust me: it's a good thing that I don't touch any C code in AppArmor or elsewhere ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c21
Jeff Mahoney
I think it's going to work better to ship dhclient-script as unconfined and let users who want to confine it create a profile. A shell script that handles plugins is going to touch lots of things.
Marcus, do you have an opinion here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c22
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c23
--- Comment #23 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c24
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=561152
https://bugzilla.novell.com/show_bug.cgi?id=561152#c25
Christian Boltz
so its ok to turn off, but keep in the samples directory for admin usage.
I just re-checked this: # rpm -ql apparmor-profiles |grep dhclient /etc/apparmor/profiles/extras/sbin.dhclient /etc/apparmor/profiles/extras/sbin.dhclient-script In other words: those profiles are not enabled by default. Therefore I'll close this bug - if someone disagrees, feel free to reopen ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=561152
http://bugzilla.novell.com/show_bug.cgi?id=561152#c26
--- Comment #26 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com