Comment # 14
on bug 1120472
from Christian Boltz
I checked the test results, and I'm still sure it's fixed on the AppArmor side
;-)
(also, the failure from comment #0 is completely different from what we see
now)
The failure in the aa_enforce test is easy to explain:
The test uses the packaged nscd profile ("nscd") as you can see in the
aa-status output, but when validating the aa-status output, it still looks for
"/usr/sbin/nscd". I'll do a pseudo-patch:
# Check if /usr/sbin/ntpd is really disabled
die "/usr/sbin/nscd should be disabled"
- if (script_run("aa-status |grep /usr/sbin/nscd") == 0);
+ if (script_run("aa-status |grep nscd") == 0);
validate_script_output "aa-enforce usr.sbin.nscd", sub {
m/Setting.*nscd to enforce mode/;
};
validate_script_output "aa-status", sub {
- m/\/usr\/sbin\/nscd/;
+ m/^ *nscd$/;
};
Now for the aa_logprof test failure:
https://openqa.opensuse.org/tests/827666/file/aa_logprof-audit.log looks like
there's still a mixup of the "nscd" and "/usr/sbin/nscd" profile. I see a few
log entries about unloading "nscd", but not at the place I'd expect them.
Sadly the audit.log doesn't contain hints which test is currently running (I
know it's not nice, but an echo $testname >> /var/log/audit/audit.log would
help.)
I'll try an educated guess:
The most likely reason for the aa_logprof test failure is that the
"/usr/sbin/nscd" profile (which is generated and loaded in the aa_autodep and
aa_genprof test) is still loaded, and nscd is running under that profile, not
under "nscd".
However, /tmp/apparmor.d/ at this point contains the "nscd" profile - and the
audit.log only has entries for the "/usr/sbin/nscd" profile.
(I have no idea what $self->aa_tmp_prof_clean does (github link welcome) - but
it does for sure not unload the "/usr/sbin/nscd" profile.)
To fix this, run the following at the end of the aa_autodep and aa_genprof
tests:
echo '/usr/sbin/nscd {}' | apparmor_parser -R
to unload the "/usr/sbin/nscd" profile.
Expected result: no output, $? == 0
Does this help to make the tests green? ;-)