[heroes] mlmmj - apparmor issues
Christian, something for you -
when the profiles were in "enforce", I see these in the log -
/usr/bin/mlmmj-bounce[18839]: subscriberfuncs.c:122: Could not
opendir(/var/spool/mlmmj/opensuse//subscribers.d/): Permission denied
/usr/bin/mlmmj-sub[5174]: subscriberfuncs.c:122: Could not
opendir(/var/spool/mlmmj/opensuse//subscribers.d/): Permission denied
/usr/bin/mlmmj-unsub[3419]: subscriberfuncs.c:122: Could not
opendir(/var/spool/mlmmj/opensuse-security-announce//subscribers.d/):
Permission denied
Looking at the profile for mlmmj-bounce:
/usr/bin/mlmmj-bounce {
#include
Hello, Am Dienstag, 20. September 2016, 09:57:45 CEST schrieb Per Jessen:
Christian, something for you - when the profiles were in "enforce", I see these in the log -
/usr/bin/mlmmj-bounce[18839]: subscriberfuncs.c:122: Could not opendir(/var/spool/mlmmj/opensuse//subscribers.d/): Permission denied
/usr/bin/mlmmj-sub[5174]: subscriberfuncs.c:122: Could not opendir(/var/spool/mlmmj/opensuse//subscribers.d/): Permission denied
/usr/bin/mlmmj-unsub[3419]: subscriberfuncs.c:122: Could not opendir(/var/spool/mlmmj/opensuse-security-announce//subscribers.d/): Permission denied
Looking at the profile for mlmmj-bounce:
/usr/bin/mlmmj-bounce { #include
/usr/bin/mlmmj-bounce r, /usr/bin/mlmmj-send Px, /var/spool/mlmmj/*/subscribers.d rwl, #
This profile looks _really_ old. Rules to allow directory listings (basically allowing "ls") need to have a trailing slash, so the rule should be /var/spool/mlmmj/*/subscribers.d/ rwl, You'll also need to add the trailing slash in all other directory rules. Rules without trailing slash are for files (also sockets, device nodes etc. - everything except directories). Looooong time ago, AppArmor did not have the trailing slash requirement. I'm not sure when exactly this changed. With a quick "bzr blame", I found out that it was added to the manpage in April 2007 - so the implementation of "trailing slash for directories" in the code can probably celebrate its 10th birthday already ;-) I also wonder if "l" (hardlink) permissions make sense for a directory. IIRC I only needed them for some files (never for directories) - but they don't really hurt.
/var/spool/mlmmj/*/subscribers.d/* rwl, /var/spool/mlmmj/*/subconf rwl, #
..../subconf/ rwl,
/var/spool/mlmmj/*/subconf/* rwl, /var/spool/mlmmj/*/queue rwl, #
.../queue/ rwl,
/var/spool/mlmmj/*/queue/* rwl, /var/spool/mlmmj/*/bounce/ rwl,
That rule was probably added later - it has a trailing slash. Also, I'm slightly surprised that there isn't a rule for the files inside the bounce directory.
}
The trailing '#'s look a bit odd, but I guess they're okay.
# simply indicates the start of a comment. Actually an empty comment ;-)
Except if they were meant to be at the beginning of the next line?
You'll need to ask someone who knows mlmmj to find out which part of mlmmj needs to read and write which files (or you (ab)use AppArmor to find it out, but there's nothing that looks obviously wrong or too generous.
/usr/bin/mlmmj-sub { #include
capability setuid, /usr/bin/mlmmj-send Px, /usr/bin/mlmmj-sub r, /var/spool/mlmmj/*/control r, # /var/spool/mlmmj/*/control/* r, /var/spool/mlmmj/*/queue w, # /var/spool/mlmmj/*/queue/* w, /var/spool/mlmmj/*/subconf w, # /var/spool/mlmmj/*/subconf/* w, /var/spool/mlmmj/*/subscribers.d rw, /var/spool/mlmmj/*/subscribers.d/* rw, /var/spool/mlmmj/*/subscribers.d/.d.lock lw, /var/spool/mlmmj/*/text r, # /var/spool/mlmmj/*/text/* r, } Why does mlmmj-unsub have a problem with /var/spool/mlmmj/opensuse-security-announce//subscribers.d/ ?
You should be able to answer this yourself after reading what I wrote above ;-)
This doesn't look right though:
/usr/bin/mlmmj-unsub { #include
/usr/bin/mlmmj-unsub r, /usr/bin/mlmmj-send Px, /var/spool/mlmmj/*/control r, # /var/spool/mlmmj/*/control/* r, /var/spool/mlmmj/*/text r, # /var/spool/mlmmj/*/text/* r, /var/spool/mlmmj/*/subscribers.d r, /var/spool/mlmmj/*/subscribers.d/* r, /var/spool/mlmmj/*/queue rwl, # /var/spool/mlmmj/*/queue/* rwl, /var/spool/mlmmj/*/unsubconf rwl, # /var/spool/mlmmj/*/unsubconf/* rwl, /var/spool/mlmmj/*/subscribers.d rwl, # /var/spool/mlmmj/*/subscribers.d/* rwl, } Double entries for /var/spool/mlmmj/*/subscribers.d ?
They get merged, so
/var/spool/mlmmj/*/subscribers.d r, /var/spool/mlmmj/*/subscribers.d/* r, /var/spool/mlmmj/*/subscribers.d rwl, # /var/spool/mlmmj/*/subscribers.d/* rwl,
is effectively /var/spool/mlmmj/*/subscribers.d rwl, # /var/spool/mlmmj/*/subscribers.d/* rwl, Again, you'll need to add trailing slashes for the directory rules. After editing the profiles, please run rcapparmor reload to reload them. (Do NOT use "restart" because this does bad things and kills a cat when used with systemd.) If you still see ALLOWED or DENIED events in audit.log, please paste those lines into a mail ;-) Regards, Christian Boltz -- Diese Signatur ist vorübergehend nicht erreichbar. Versuchen Sie es später noch einmal oder hinterlassen Sie eine Nachricht vor dem Signaturtrenner. Piep. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hello, Am Dienstag, den 20.09.2016, 18:37 +0200 schrieb Christian Boltz:
Hello,
Am Dienstag, 20. September 2016, 09:57:45 CEST schrieb Per Jessen:
Christian, something for you -
After editing the profiles, please run rcapparmor reload to reload them. (Do NOT use "restart" because this does bad things and kills a cat when used with systemd.)
If you still see ALLOWED or DENIED events in audit.log, please paste those lines into a mail ;-)
Regards,
Christian Boltz -- Diese Signatur ist vorübergehend nicht erreichbar. Versuchen Sie es später noch einmal oder hinterlassen Sie eine Nachricht vor dem Signaturtrenner. Piep.
we have got good news. We have got feedback by the German mailing list:
Bei mir hat die Anmeldung gerade geklappt. Danke an den neuen Admin! Gruß, Hendrik
It seems the subscribe problem is fixed. Thanks to Per and Christian! Best regards, Sarah -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Christian Boltz wrote:
Hello,
Am Dienstag, 20. September 2016, 09:57:45 CEST schrieb Per Jessen:
Looking at the profile for mlmmj-bounce:
/usr/bin/mlmmj-bounce { #include
/usr/bin/mlmmj-bounce r, /usr/bin/mlmmj-send Px, /var/spool/mlmmj/*/subscribers.d rwl, # This profile looks _really_ old.
Rules to allow directory listings (basically allowing "ls") need to have a trailing slash, so the rule should be
That was going to be one of my questions :-) Well, apparmor-profiles is apparmor-2.8.2-45.1, which dates back to 2013, afaict. It was installed on 2 September 15:32, which coincides with the first subscribe/unsubscribe problems. Judging by zypper.log, 2.8.2-45.1 is from SLE-12-SP1-Update, the previous version was 2.8.2-36.1. Clearly the profiles for mlmmj-* are outdated, but it seems the fix ought to be to upgrade to a more recent version of apparmor-profiles? I am unfamiliar with the systems management processes for this server - I think the update happened automagically, it looks like it's done as a daily cron-job. For baloo, I can easily extract the newer mlmmj profiles from apparmor-profiles-2.10, and add them into /etc/apparmor.d/local/, but it seems to me that apparmor-profiles in SLE12-SP1 needs to be updated? (even if not very many people use mlmmj). -- Per Jessen, Zürich (11.1°C) -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Hi
Am 21. September 2016 09:03:03 MESZ, schrieb Per Jessen
I am unfamiliar with the systems management processes for this server - I think the update happened automagically, it looks like it's done as a daily cron-job.
Right: all openSUSE servers have a cron job running each day (around 19:30 +- 15min) that updates all packages that do not have a "license to confirm" (which is used by kernel updates for example). Additionally, there is a monitoring check around 20:00 running zypper to check for pending updates (like the kernel one, which does not get installed automatically) and packages from alien repositories (means 3rd party packages not provided via official repos) that are not acknowledged by the admin. If there is a package in the official repo that should be updated to solve a problem, we open a bug report to get this fixed the official way.
For baloo, I can easily extract the newer mlmmj profiles from apparmor-profiles-2.10, and add them into /etc/apparmor.d/local/, but it seems to me that apparmor-profiles in SLE12-SP1 needs to be updated?
(even if not very many people use mlmmj).
As mlmmj is not part of the official repository provided by SUSE, I would recommend to add the profile to the mlmmj package or distribute it via configuration management. As it is a config file, I would normally recommend to use the 2nd approach, but I guess we might be able to generate a generic apparmor profile that can help others if it gets integrated in the mlmmj package. But it's up to you to decide as admin :-) CU, Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Per Jessen wrote:
Clearly the profiles for mlmmj-* are outdated, but it seems the fix ought to be to upgrade to a more recent version of apparmor-profiles?
I'm guessing the profiles for mlmmj-* were in complain mode, but were put into "enforce" when overwritten by the update.
For baloo, I can easily extract the newer mlmmj profiles from apparmor-profiles-2.10, and add them into /etc/apparmor.d/local/, but it seems to me that apparmor-profiles in SLE12-SP1 needs to be updated? (even if not very many people use mlmmj).
I've updated the profiles on baloo, and opened a bugreport. -- Per Jessen, Zürich (16.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
participants (4)
-
Christian Boltz
-
Lars Vogdt
-
Per Jessen
-
Sarah Julia Kriesch