http://bugzilla.novell.com/show_bug.cgi?id=561152 http://bugzilla.novell.com/show_bug.cgi?id=561152#c2 Elmar Stellnberger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|estellnb@gmail.com | --- Comment #2 from Elmar Stellnberger 2009-12-17 13:52:36 UTC --- The problem is Apparmor specific and persists with kernel 2.6.32.1-0.0.19.413cccf-desktop. Access is denied though "@{PROC}/net/dev r," is part of the profile; adding /proc/net/dev directly does not help either. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c4 --- Comment #4 from Jeff Mahoney 2011-01-06 20:09:14 UTC --- Hrm. This issue still exists in Factory, even with AppArmor 2.5.1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c6 --- Comment #6 from Jeff Mahoney 2011-01-06 21:32:06 UTC --- Huh. Actually that's not the case on Factory. It works fine. I was testing on 11.3 by accident. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c8 --- Comment #8 from Jeff Mahoney 2011-01-06 23:10:11 UTC --- .. and that's really the only sane option. It's a shell script that runs as root and the admin is allowed to extend by adding extension to /etc/netconfig.d. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Kernel |AppArmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c11 Elmar Stellnberger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|estellnb@gmail.com | --- Comment #11 from Elmar Stellnberger 2011-01-26 22:52:59 UTC --- Well, I can`t install apparmor from factory because crucial system components of 11.3 require perl-5.12; and installing perl-5.12.3 in addition would be no good idea either because I would at least have to make a choice for one of both /usr/bin/perls. Can`t you simply post the profile? Testing the new profile with the 11.3 apparmor should work as well; shouldn`t it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c13 --- Comment #13 from Jeff Mahoney 2011-01-27 15:18:12 UTC --- Created an attachment (id=410790) --> (http://bugzilla.novell.com/attachment.cgi?id=410790) sbin.dhclient-script profile -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c14 Elmar Stellnberger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|estellnb@gmail.com | --- Comment #14 from Elmar Stellnberger 2011-01-28 22:36:19 UTC --- Well. It didn`t work as provided; dhclient was spying out a lot of error messages when simply invoking 'dhclient eth0'. Nonetheless I started to update both profiles manually and now it works quite well: no fatal errors, well retrieved IP-adr. The only error message I could not get rid of in /var/log/audit/audit.log is: type=APPARMOR_DENIED msg=audit(1296253690.147:2770): operation="open" pid=10048 parent=10047 profile="/sbin/dhclient-script" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/proc/" There was also a little error inside: dhclient-script is defined by its own profile so it needs the p-option instead of i-inherit. /sbin/dhclient-script mrpx, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c16 --- Comment #16 from Elmar Stellnberger 2011-01-28 22:39:14 UTC --- Created an attachment (id=411098) --> (http://bugzilla.novell.com/attachment.cgi?id=411098) sbin.dhclient-script (updated) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c18 Stephan Kulow changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|coolo@novell.com | --- Comment #18 from Stephan Kulow 2011-03-30 15:07:03 CEST --- hmm, I have no oppinion. Not my area of expertise. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c20 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #20 from Christian Boltz 2011-03-30 21:02:46 CEST --- (In reply to comment #19)

I believe we should have disabled all the apparmor profiles that don`t work for the 11.4 release by default.

Every program that can be configured by the user won't fit then because you'll always find a config that needs to access another file... Well, maybe except /bin/false and /bin/true ;-) As long as the profile fits at least 95% of the users, I'd say we should keep it.

Perhaps we find someone who can reliably test through all of them.

See above - the problems are often caused by configuration changes. Therefore I'd say heavy users of $program (who also change the config a lot) are the best testers. This also means you won't find one person that can test all profiles.

Let auditd mirror all apparmor access denial messages to the console where the program runs by default.

Interesing idea.

To me personally if I consider it again approaching to deploy SELinux does also become increasingly interesting since it now offers protection for Xorg which Apparmor does not. An in deed curcial component on every graph. desktop system. We don`t have the resources to extend Apparmor as far as this; do we?.

That's something you should ask on the apparmor@lists.ubuntu.com mailinglist where all the AppArmor developers are. (subscribe at https://lists.ubuntu.com/mailman/listinfo/apparmor ) AFAIK Jeff is the only one @Novell who works on AppArmor (beside many other things), and in the openSUSE community there isn't too much activity regarding AppArmor. Well, at least I maintain the vim syntax highlighting for the profiles and sometimes comment on planned changes on the AppArmor mailinglist - but trust me: it's a good thing that I don't touch any C code in AppArmor or elsewhere ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c22 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |meissner@novell.com InfoProvider|meissner@novell.com | --- Comment #22 from Marcus Meissner 2011-04-15 13:28:28 UTC --- if it is breaking for some setups we should leave it not default enabled. we could do let it call netconfig unconfined, but this would make it quite useless. so its ok to turn off, but keep in the samples directory for admin usage. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jeffm@suse.com |suse-beta@cboltz.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:50809:moderat |. |e | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c24 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:50809:moderat |maint:running:50809:moderat |e |e | |maint:released:sle11-sp2:50 | |817 --- Comment #24 from Swamp Workflow Management 2013-01-31 20:05:15 UTC --- Update released for: apparmor-profiles Products: SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=561152 https://bugzilla.novell.com/show_bug.cgi?id=561152#c25 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME --- Comment #25 from Christian Boltz 2013-10-20 20:09:27 CEST --- (In reply to comment #22)

so its ok to turn off, but keep in the samples directory for admin usage.

I just re-checked this: # rpm -ql apparmor-profiles |grep dhclient /etc/apparmor/profiles/extras/sbin.dhclient /etc/apparmor/profiles/extras/sbin.dhclient-script In other words: those profiles are not enabled by default. Therefore I'll close this bug - if someone disagrees, feel free to reopen ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.