[Bug 338461] New: apparmor in kernel 2.16.22. 5-31 cannot read configuration files without an error
https://bugzilla.novell.com/show_bug.cgi?id=338461 Summary: apparmor in kernel 2.16.22.5-31 cannot read configuration files without an error Product: openSUSE 10.2 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: msvec@novell.com ReportedBy: uwe.mertens.zuhause@t-online.de QAContact: msvec@novell.com Found By: --- Created an attachment (id=181693) --> (https://bugzilla.novell.com/attachment.cgi?id=181693) log-file boot.msg After compilation and installation of the the kernel 2.16.22.5-31 apparmor does not start during boot. Please find enclosed a log-file boot.omsg.1 Apparmor generates messages that it can not use wildcard charactes in the configuration files. But as I have seen there are a lot of them in the file /etc/apparmor.d/abstractions/base After removing wildcards apparmor still failed. When I used the kernel 2.16,18.8-0.7 I never observed such a behaviour. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=338461
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=338461#c1
John Johansen
https://bugzilla.novell.com/show_bug.cgi?id=338461#c2
--- Comment #2 from uwe mertens
This will happen if the default match module is being loaded instead of the pcre based match module can you provide me output from
sudo lsmod | grep apparmor
This was the output of the command: uwemer@linux601:~> sudo lsmod|grep apparmor Sorry, user uwemer is not allowed to execute '/bin/lsmod' as root on linux601. uwemer@linux601:~> su Passwort: linux601:/home/uwemer # lsmod |grep apparmor apparmor 59056 0 linux601:/home/uwemer # -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=338461#c3
--- Comment #3 from John Johansen
uname -a
and
rpm -qa | grep apparmor
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=338461#c4
--- Comment #4 from uwe mertens
It looks like your parser and kernel are out of sync can you provide the output for
uname -a
and
rpm -qa | grep apparmor
This was the output of the commands: uwemer@linux601:~> uname -a Linux linux601 2.6.22.5-31-default #1 SMP Thu Oct 25 13:21:17 CEST 2007 x86_64 x86_64 x86_64 GNU/Linux uwemer@linux601:~> rpm -qa|grep apparmor libapparmor-2.0-35 apparmor-utils-2.0.1-10 apparmor-parser-2.0.1-11 apparmor-profiles-2.0.1-14 yast2-apparmor-2.0.1-11 apparmor-docs-2.0.1-6 uwemer@linux601:~> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
rpm -qa | grep apparmor
https://bugzilla.novell.com/show_bug.cgi?id=338461#c5
--- Comment #5 from John Johansen
https://bugzilla.novell.com/show_bug.cgi?id=338461#c6
--- Comment #6 from uwe mertens
It looks like the kernel dependency on the tools didn't get updated. The 10.3 kernel (2.6.22.x) requires that the apparmor user side be updated to version 2.1
rpm -qa | grep apparmor
for a 10.3 install libapparmor1-2.2-18 apparmor-docs-2.1-19 perl-libapparmor-2.2-18 apparmor-parser-2.1-19 yast2-apparmor-2.1-26 apparmor-profiles-2.1-12 apparmor-utils-2.1-11
This should fix the loading problem. However if you have made modifications to your profiles they will need some updating as there have been a few semantic changes in AppArmor 2.1.
The things that may trip up your profiles are lock permissions, change in directory access semantics, and networking rules. You can just use genprof/logprof to update the profiles or you can do a transform as described below.
lock permissions: previously having access to the file was sufficient to get a lock on a file AppArmor now requires a lock permission expressed with the letter "k" You can do a brute force transform of adding k to every file rule that has read or write permissions.
networking rules: AppArmor 2.1 as rudementary networking support and the easiest way to transform 10.2 based profiles is just add rule network, # allow all networking
directory semanitics: Previous versions of AppArmor didn't distinguish directories from files. But in AppArmor 2.1 a trailing slash indicates the rule must specifically match a directory.
/foo/**/ rw, # Allow read/write access to dirs, not a file
/foo/** rw, # allows read/write to files or directories but will not match /foo/ it must be an object under /foo/
/foo/**[^/] rw, # allow read/write access to files, not a dir
This can cause problems for rules written with * or **. To get the old behavior a rule of the form
old new /foo/* -> /foo/*{/,} /foo/** -> /foo/**{/,}
/foo/*/bar # unchanged /foo/**/bar # unchanged
For a complete list of the changes take a look at http://en.opensuse.org/AppArmor/Changes_AppArmor_2_1
Only apparmor-utils-2.1-11 was not available. Some of the required apparmor modules were available at Novell. I have loaded the new modules. After that the apparmor daemon started but skipped all profiles. Therefore, until now I cannot decider whether it works or not. I propose that Novell puts all required modules into the package repositories and puts a remark into the README file of the kernel. Another point is the behaviour of the preceding kernel 2.6.18.8-0.7 with the new apparmor modules. I suppose a similar approach to solve this problem is keeping the different versions of apparmor in different directories like it is done for kernel modules. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=338461#c7
--- Comment #7 from John Johansen
https://bugzilla.novell.com/show_bug.cgi?id=338461#c8
--- Comment #8 from uwe mertens
Your profiles have not been able to load because the older apparmor_parser can not load profiles to the newer kernel module. This was done because the newer kernel moved to a more efficient matching scheme using a dfa, and the dfa tables are built and verified user side.
All the packages should be available in the 10.3 repo. Several of the packages including the apparmor-utils-2.1-11 pacakge are in the noarch portion of the repo.
http://download.opensuse.org/distribution/10.3/repo/oss/suse/noarch/
I do need upload snapshots to the apparmor project and, setup packages in the build service as well, which will help in package availability.
The kernel currently has a requires on the 2.0.1 apparmor parser, this is a bug and it should have been updated. This would have prevented the kernel from being installed without a parser that can load the profiles. A note being added to the kernel README file as well is a good idea.
The behavior for the newer tools with the older kernel should be okay. The parser can load policy to the older kernel and the tools will work with it as well. There is a problem however in which set of profiles that gets loaded is not chosen based off of the running kernel, and if profiles make use of the newer features the parser will refuse to load it.
I have loaded the last missing module apparmor-utils-2.1-11. I did not find the module as the search engine of Novell did not deliver a result on the search of apparmor-utils-2.1-11. The search of apparmor-utils was successful. The modules I observed to be skipped during boot were those marked by rpm as rpmsave when I had installed the new profiles. Therefore, I think the bug is fixed. In order to work alternatively with the old and the new kernel I have stored the two sets of profiles in two different directories: /etc/apparmor.d$(uname -r) The directory apparmor.d is been removed. Into the /etc/init.d/boot.apparmor skript I have inserted two lines just behind the leading comment: rm /etc/apparmor.d ln -s /etc/apparmor.d$(uname -r) /etc/apparmor.d With this link booting of both kernel releases works and I think the tools of apparmor work too, If there would be an automated update of the kernel with change of the release number then the according profile directory needs to be renamed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=338461
Michal Svec
https://bugzilla.novell.com/show_bug.cgi?id=338461
User jjohansen@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=338461#c9
John Johansen
participants (1)
-
bugzilla_noreply@novell.com