https://bugzilla.novell.com/show_bug.cgi?id=857122 https://bugzilla.novell.com/show_bug.cgi?id=857122#c2 Lars Vogdt changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low Status|NEW |ASSIGNED CC| |lrupp@suse.com --- Comment #2 from Lars Vogdt 2014-01-03 15:36:48 CET --- (In reply to comment #1)

The profile is included in the nagios-plugins-zypper package - Lars, please take over ;-)

Jip, thanks Christian for the analysis :-)

BTW: apparmor-abstractions-zypp contains some superfluous lines: /etc/zypp/repos.d/ r, /etc/zypp/repos.d/*.repo r, /etc/zypp/services.d/ r, /etc/zypp/services.d/*.repo r,

Those lines are all covered by /etc/zypp/** r,

Agreed, thanks for the tip.

BTW2: Instead of your apparmor-abstractions-ssl, you might want to use abstractions/ssl_certs and abstractions/openssl. Note that this doesn't cover /proc/sys/crypto/fips_enabled r, (is this something that should be added to the upstream abstractions/openssl, or is it unrelated?)

You are right: the current profile contains abstractions that should better go into the relevant packages (apparmor-abstractions-zypp is just another example here). But to be honest, I did not find the time to ping the other package maintainers to integrate them or better: start to create some apparmor profiles for their packages. The "/proc/sys/crypto/fips_enabled r," should IMHO be integrated in the upstream abstractions/openssl as this is not critical if you run without FIPS, but it will produce a lot of log entries on systems like SLES that are FIPS aware. I need to find a way (via "%if 0%{?suse_version}" in the spec file) to provide the correct files for all current (open)SUSE distributions... after that, I will request a maintenance update for the package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=857122 https://bugzilla.novell.com/show_bug.cgi?id=857122#c4 --- Comment #4 from Christian Boltz 2014-01-03 20:45:57 CET --- (In reply to comment #3)

(In reply to comment #2)

...

The "/proc/sys/crypto/fips_enabled r," should IMHO be integrated in the upstream abstractions/openssl

I just proposed this upstream.

Commited to trunk r2294, which means AppArmor 3.0 will have it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=857122 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:3208:low |obs:running:3208:low | |obs:running:3210:low -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=857122 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:3208:moderate |obs:running:3208:moderate | |obs:running:3210:moderate -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=857122 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:3208:moderate | -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=857122 --- Comment #6 from Swamp Workflow Management --- openSUSE-RU-2014:1481-1: An update that has 19 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 846586,848215,850374,851131,852018,853019,856651,857122,863226,869787,870607,885317,886225,889650,889651,889652,892374,899746,904620 CVE References: Sources used: openSUSE 12.3 (src): apparmor-2.8.4-3.8.1 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=857122 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(suse-beta@cboltz. | |de) | --- Comment #8 from Christian Boltz --- I don't use nagios, therefore I can only judge based on the log entries from comment #0. It seems the following event is not covered by the profile yet: (unless I overlooked something in the abstractions) 2013-12-30T11:45:14.471441+01:00 hermes kernel: [904962.186632] type=1400 audit(1388400314.470:1115): apparmor="DENIED" operation="file_mmap" parent=31555 profile="/usr/lib/nagios/plugins/check_zypper//zypper" name="/usr/lib64/libproxy-0.4.11/modules/config_gnome3.so" pid=31556 comm="zypper" requested_mask="m" denied_mask="m" fsuid=471 ouid=0 You'll probably need to add the following line to the zypper subprofile: /usr/lib*/libproxy-*/modules/config_gnome3.so mr, BTW: the update notes for the apparmor package in this bugreport were for /proc/sys/crypto/fips_enabled ;-) -- You are receiving this mail because: You are on the CC list for the bug.