Bug ID 990724
Summary libselinux 2.5 causes AppArmor denials for capability sys_admin for lots of binaries
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS SUSE Other
Status NEW
Severity Critical
Priority P5 - None
Component Security
Assignee jsegitz@novell.com
Reporter suse-beta@cboltz.de
QA Contact qa-bugs@suse.de
CC i@marguerite.su, security-team@suse.de
Found By Beta-Customer
Blocker --- 

The latest libselinux update (2.3 -> 2.5) causes AppArmor denials for
capability sys_admin in simple binaries like logger, sed and find - and I'm
quite sure those programs should _not_ do CAP_SYS_ADMIN stuff...

This can be easily reproduced by
    su   # this only happens as root
    echo foo | logger

audit.log will show a denial afterwards:

type=AVC msg=audit(1469558131.006:2201): apparmor="DENIED" operation="capable"
profile="/{usr/,}bin/logger" pid=9610 comm="logger" capability=21 
capname="sys_admin"


I built 2.3 packages based on the previous version in Tumbleweed, and they
solve the problem, so this is clearly a regression between 2.3 and 2.5. You can
find the 2.3 packages in OBS home:cboltz:branches:openSUSE:Factory/libselinux


I'm rating this bug as critical because it could trick people into adding the
sys_admin capability to lots of profiles, and sys_admin is one of the most
powerful capabilities and should only be allowed if really needed.

You are receiving this mail because: