[Bug 857122] New: nagios plugin to check zypper cannot zypper ref due to apparmor profile
https://bugzilla.novell.com/show_bug.cgi?id=857122 https://bugzilla.novell.com/show_bug.cgi?id=857122#c0 Summary: nagios plugin to check zypper cannot zypper ref due to apparmor profile Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: gleixner@lrz.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Created an attachment (id=573101) --> (http://bugzilla.novell.com/attachment.cgi?id=573101) usr.lib.nagios.plugins.check_zypper User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 Package: zypper se -s nagios-plugins-zypper Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository --+-----------------------+------------+----------+--------+-------------------------------- i | nagios-plugins-zypper | package | 1.50-5.1 | noarch | openSUSE-13.1-Oss v | nagios-plugins-zypper | package | 1.50-1.1 | noarch | server:monitoring_Opensuse_13.1 | nagios-plugins-zypper | srcpackage | 1.50-1.1 | noarch | server:monitoring_Opensuse_13.1 Messages: 2013-12-30T11:45:14.049461+01:00 hermes kernel: [904961.764285] type=1400 audit(1388400314.048:1106): apparmor="DENIED" operation="open" parent=31552 profile="/usr/lib/nagios/plugins/check_zypper" name="/etc/nsswitch.conf" pid=31553 comm="sh" requested_mask="r" denied_mask="r" fsuid=471 ouid=0 2013-12-30T11:45:14.049462+01:00 hermes kernel: [904961.764375] type=1400 audit(1388400314.048:1107): apparmor="DENIED" operation="open" parent=31552 profile="/usr/lib/nagios/plugins/check_zypper" name="/etc/nsswitch.conf" pid=31553 comm="sh" requested_mask="r" denied_mask="r" fsuid=471 ouid=0 2013-12-30T11:45:14.049463+01:00 hermes kernel: [904961.764446] type=1400 audit(1388400314.048:1108): apparmor="DENIED" operation="open" parent=31552 profile="/usr/lib/nagios/plugins/check_zypper" name="/etc/passwd" pid=31553 comm="sh" requested_mask="r" denied_mask="r" fsuid=471 ouid=0 2013-12-30T11:45:14.049464+01:00 hermes kernel: [904961.764458] type=1400 audit(1388400314.048:1109): apparmor="DENIED" operation="open" parent=31552 profile="/usr/lib/nagios/plugins/check_zypper" name="/etc/passwd" pid=31553 comm="sh" requested_mask="r" denied_mask="r" fsuid=471 ouid=0 2013-12-30T11:45:14.068436+01:00 hermes kernel: [904961.783169] type=1400 audit(1388400314.067:1110): apparmor="DENIED" operation="open" parent=31552 profile="/usr/lib/nagios/plugins/check_zypper" name="/etc/nsswitch.conf" pid=31555 comm="sh" requested_mask="r" denied_mask="r" fsuid=471 ouid=0 2013-12-30T11:45:14.068443+01:00 hermes kernel: [904961.783258] type=1400 audit(1388400314.067:1111): apparmor="DENIED" operation="open" parent=31552 profile="/usr/lib/nagios/plugins/check_zypper" name="/etc/nsswitch.conf" pid=31555 comm="sh" requested_mask="r" denied_mask="r" fsuid=471 ouid=0 2013-12-30T11:45:14.068444+01:00 hermes kernel: [904961.783327] type=1400 audit(1388400314.067:1112): apparmor="DENIED" operation="open" parent=31552 profile="/usr/lib/nagios/plugins/check_zypper" name="/etc/passwd" pid=31555 comm="sh" requested_mask="r" denied_mask="r" fsuid=471 ouid=0 2013-12-30T11:45:14.068445+01:00 hermes kernel: [904961.783338] type=1400 audit(1388400314.067:1113): apparmor="DENIED" operation="open" parent=31552 profile="/usr/lib/nagios/plugins/check_zypper" name="/etc/passwd" pid=31555 comm="sh" requested_mask="r" denied_mask="r" fsuid=471 ouid=0 2013-12-30T11:45:14.467448+01:00 hermes kernel: [904962.182660] type=1400 audit(1388400314.466:1114): apparmor="DENIED" operation="open" parent=31555 profile="/usr/lib/nagios/plugins/check_zypper//zypper" name="/proc/sys/kernel/random/uuid" pid=31556 comm="zypper" requested_mask="r" denied_mask="r" fsuid=471 ouid=0 2013-12-30T11:45:14.471441+01:00 hermes kernel: [904962.186632] type=1400 audit(1388400314.470:1115): apparmor="DENIED" operation="file_mmap" parent=31555 profile="/usr/lib/nagios/plugins/check_zypper//zypper" name="/usr/lib64/libproxy-0.4.11/modules/config_gnome3.so" pid=31556 comm="zypper" requested_mask="m" denied_mask="m" fsuid=471 ouid=0 I will attach a updates apparmor profile. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857122
https://bugzilla.novell.com/show_bug.cgi?id=857122#c1
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=857122
https://bugzilla.novell.com/show_bug.cgi?id=857122#c2
Lars Vogdt
The profile is included in the nagios-plugins-zypper package - Lars, please take over ;-)
Jip, thanks Christian for the analysis :-)
BTW: apparmor-abstractions-zypp contains some superfluous lines: /etc/zypp/repos.d/ r, /etc/zypp/repos.d/*.repo r, /etc/zypp/services.d/ r, /etc/zypp/services.d/*.repo r,
Those lines are all covered by /etc/zypp/** r,
Agreed, thanks for the tip.
BTW2: Instead of your apparmor-abstractions-ssl, you might want to use abstractions/ssl_certs and abstractions/openssl. Note that this doesn't cover /proc/sys/crypto/fips_enabled r, (is this something that should be added to the upstream abstractions/openssl, or is it unrelated?)
You are right: the current profile contains abstractions that should better go into the relevant packages (apparmor-abstractions-zypp is just another example here). But to be honest, I did not find the time to ping the other package maintainers to integrate them or better: start to create some apparmor profiles for their packages. The "/proc/sys/crypto/fips_enabled r," should IMHO be integrated in the upstream abstractions/openssl as this is not critical if you run without FIPS, but it will produce a lot of log entries on systems like SLES that are FIPS aware. I need to find a way (via "%if 0%{?suse_version}" in the spec file) to provide the correct files for all current (open)SUSE distributions... after that, I will request a maintenance update for the package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857122
https://bugzilla.novell.com/show_bug.cgi?id=857122#c3
--- Comment #3 from Christian Boltz
The "/proc/sys/crypto/fips_enabled r," should IMHO be integrated in the upstream abstractions/openssl as this is not critical if you run without FIPS, but it will produce a lot of log entries on systems like SLES that are FIPS aware.
I just proposed this upstream.
In the meantime, you can already simplify your apparmor-abstractions-ssl:
#include
I need to find a way (via "%if 0%{?suse_version}" in the spec file) to provide the correct files for all current (open)SUSE distributions...
It shouldn't hurt to allow a bit more than really needed ;-) - especially if you already (have to) allow it for newer versions. Besides that: yes, I'd also love to have a %elseif. The workaround is to use nested %if / %else - it won't look too nice, but it works ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857122
https://bugzilla.novell.com/show_bug.cgi?id=857122#c4
--- Comment #4 from Christian Boltz
(In reply to comment #2)
The "/proc/sys/crypto/fips_enabled r," should IMHO be integrated in the upstream abstractions/openssl
I just proposed this upstream.
Commited to trunk r2294, which means AppArmor 3.0 will have it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=857122
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=857122
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=857122
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=857122
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=857122
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=857122
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=857122
Lars Vogdt
http://bugzilla.novell.com/show_bug.cgi?id=857122
--- Comment #6 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=857122
--- Comment #7 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=857122
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com