(In reply to Guillaume GARDET from comment #3) > (In reply to Christian Boltz from comment #1) > > I just tried to reproduce the issue locally by doing what openQA does, but > > (un)fortunately aa-logprof "just works" as expected. > > Since it is only in latest openQA snapshot (20181231), it is not in released > Tumbleweed. That's why I'm using the apparmor packages from home:cboltz (which I submitted to security:apparmor and then to Tumbleweed) ;-) (nevertheless: thanks for mentioning it, it would have been an easy explanation ;-) Also, it turned out that I need to run more of the AppArmor tests (not only the aa-logprof test) to reproduce the bug. See below for the full story. > > Is there a way to get the debug log /tmp/apparmor-bugreport-*.txt from > > openQA? (note that the filename is mktemp-generated) > > The debug log contains the content of variables etc. and is hopefully > > helpful to find out what happens. > > Added in attachment. Thanks! The most strange, interesting and useful line is profile = '/usr/sbin/nscd' > > Also, where can I find the source code of the AppArmor tests done by openQA? > > Maybe there's a detail I missed in the screenshot. > > You can get by clicking aa_logprof (test title) in openQA: > https://openqa.opensuse.org/tests/822549#step/aa_logprof/24 Good to know, thanks! > BTW, in latest Tumbleweed snapshot, it seems '/usr/sbin/nscd' has been > replaced by just 'nscd'. Not sure if it could be the cause? It looks like this change combined with the other tests you do trigger the issue. Let me explain: Upstream decided to switch to "named profiles" for various reasons, so the nscd profile is now named just "nscd" (with /usr/{bin,sbin}/nscd as attachment) instead of having /usr/bin/nscd for both name and attachment. However, when creating a new profile with aa-genprof or aa-autodep, the path-based way ("/usr/bin/nscd") gets used. This means after your aa-genprof and aa-autodep tests, two profiles are loaded: "nscd" and "/usr/sbin/nscd". (I've seen you delete the profile file and run "rcapparmor restart", but that doesn't unload the "/usr/sbin/nscd" profile - see the Leap 15 release notes for an explanation.) The path-based /usr/sbin/nscd profile is more specific (no alternation in the path) and therefore gets used when starting nscd. That explains the "profile = '/usr/sbin/nscd'" line from the debug log. However, the profile in /tmp/apparmor.d/ is named "nscd", and a "/usr/sbin/nscd" profile doesn't exist there. That's exactly what aa-logprof tells us in the error (ok, the error message could be more specific, but it's clear when looking at the code). To sum it up - the conditions to trigger this error are: - nscd is running under the "wrong" profile name ("/usr/sbin/nscd") and triggered audit.log entries with this profile name - a file "usr.sbin.nscd" file exists (that's the default filename for the /usr/sbin/nscd profile) - in that file, the profile name is _not_ "/usr/sbin/nscd" I hope the openQA test authors play in the lottery, because you hit this quite unlikely corner case ;-) Now we know what's happening, and I hope you enjoyed reading the full story ;-) IMHO there are two things that should be fixed: a) in AppArmor: I'll either "downgrade" the error to a warning saying Ignoring log event for non-existing profile $name, even if the profile file exists (different profile name?) or simply silently ignore events for non-existing profiles since that is what happens for all non-existing profiles not matching this corner case. b) in the openQA tests: unload the profile before you delete the profile file to ensure you have a clean test setup: apparmor_parser -R /tmp/apparmor.d/usr.sbin.nscd rm /tmp/apparmor.d/usr.sbin.nscd cp -a /etc/apparmor.d/ /tmp/apparmor.d/ apparmor_parser -r /tmp/apparmor.d/ # reload profiles nscd will run unconfined after that, but you are stopping it anyway. (And sadly, openQA will no longer cover that corner case it accidently covered ;-)