Bug ID | 990724 |
---|---|
Summary | libselinux 2.5 causes AppArmor denials for capability sys_admin for lots of binaries |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | SUSE Other |
Status | NEW |
Severity | Critical |
Priority | P5 - None |
Component | Security |
Assignee | jsegitz@novell.com |
Reporter | suse-beta@cboltz.de |
QA Contact | qa-bugs@suse.de |
CC | i@marguerite.su, security-team@suse.de |
Found By | Beta-Customer |
Blocker | --- |
The latest libselinux update (2.3 -> 2.5) causes AppArmor denials for capability sys_admin in simple binaries like logger, sed and find - and I'm quite sure those programs should _not_ do CAP_SYS_ADMIN stuff... This can be easily reproduced by su # this only happens as root echo foo | logger audit.log will show a denial afterwards: type=AVC msg=audit(1469558131.006:2201): apparmor="DENIED" operation="capable" profile="/{usr/,}bin/logger" pid=9610 comm="logger" capability=21 capname="sys_admin" I built 2.3 packages based on the previous version in Tumbleweed, and they solve the problem, so this is clearly a regression between 2.3 and 2.5. You can find the 2.3 packages in OBS home:cboltz:branches:openSUSE:Factory/libselinux I'm rating this bug as critical because it could trick people into adding the sys_admin capability to lots of profiles, and sys_admin is one of the most powerful capabilities and should only be allowed if really needed.