Comment # 4
on bug 1120472
from Christian Boltz
(In reply to Guillaume GARDET from comment #3)
> (In reply to Christian Boltz from comment #1)
> > I just tried to reproduce the issue locally by doing what openQA does, but
> > (un)fortunately aa-logprof "just works" as expected.
>
> Since it is only in latest openQA snapshot (20181231), it is not in released
> Tumbleweed.
That's why I'm using the apparmor packages from home:cboltz (which I submitted
to security:apparmor and then to Tumbleweed) ;-) (nevertheless: thanks for
mentioning it, it would have been an easy explanation ;-)
Also, it turned out that I need to run more of the AppArmor tests (not only the
aa-logprof test) to reproduce the bug. See below for the full story.
> > Is there a way to get the debug log /tmp/apparmor-bugreport-*.txt from
> > openQA? (note that the filename is mktemp-generated)
> > The debug log contains the content of variables etc. and is hopefully
> > helpful to find out what happens.
>
> Added in attachment.
Thanks! The most strange, interesting and useful line is
profile = '/usr/sbin/nscd'
> > Also, where can I find the source code of the AppArmor tests done by openQA?
> > Maybe there's a detail I missed in the screenshot.
>
> You can get by clicking aa_logprof (test title) in openQA:
> https://openqa.opensuse.org/tests/822549#step/aa_logprof/24
Good to know, thanks!
> BTW, in latest Tumbleweed snapshot, it seems '/usr/sbin/nscd' has been
> replaced by just 'nscd'. Not sure if it could be the cause?
It looks like this change combined with the other tests you do trigger the
issue.
Let me explain:
Upstream decided to switch to "named profiles" for various reasons, so the nscd
profile is now named just "nscd" (with /usr/{bin,sbin}/nscd as attachment)
instead of having /usr/bin/nscd for both name and attachment.
However, when creating a new profile with aa-genprof or aa-autodep, the
path-based way ("/usr/bin/nscd") gets used.
This means after your aa-genprof and aa-autodep tests, two profiles are loaded:
"nscd" and "/usr/sbin/nscd". (I've seen you delete the profile file and run
"rcapparmor restart", but that doesn't unload the "/usr/sbin/nscd" profile -
see the Leap 15 release notes for an explanation.)
The path-based /usr/sbin/nscd profile is more specific (no alternation in the
path) and therefore gets used when starting nscd. That explains the "profile =
'/usr/sbin/nscd'" line from the debug log.
However, the profile in /tmp/apparmor.d/ is named "nscd", and a
"/usr/sbin/nscd" profile doesn't exist there. That's exactly what aa-logprof
tells us in the error (ok, the error message could be more specific, but it's
clear when looking at the code).
To sum it up - the conditions to trigger this error are:
- nscd is running under the "wrong" profile name ("/usr/sbin/nscd") and
triggered audit.log entries with this profile name
- a file "usr.sbin.nscd" file exists (that's the default filename for the
/usr/sbin/nscd profile)
- in that file, the profile name is _not_ "/usr/sbin/nscd"
I hope the openQA test authors play in the lottery, because you hit this quite
unlikely corner case ;-)
Now we know what's happening, and I hope you enjoyed reading the full story ;-)
IMHO there are two things that should be fixed:
a) in AppArmor: I'll either "downgrade" the error to a warning saying
Ignoring log event for non-existing profile $name, even if the
profile file exists (different profile name?)
or simply silently ignore events for non-existing profiles since that is
what happens for all non-existing profiles not matching this corner case.
b) in the openQA tests: unload the profile before you delete the profile file
to ensure you have a clean test setup:
apparmor_parser -R /tmp/apparmor.d/usr.sbin.nscd
rm /tmp/apparmor.d/usr.sbin.nscd
cp -a /etc/apparmor.d/ /tmp/apparmor.d/
apparmor_parser -r /tmp/apparmor.d/ # reload profiles
nscd will run unconfined after that, but you are stopping it anyway.
(And sadly, openQA will no longer cover that corner case it accidently
covered ;-)