Comment # 1 on bug 1188295 from 
Just checked the latest audit.log, and it contains several DENIED lines for
apache that need profile additions.

several 
operation="file_receive" info="Failed name lookup - disconnected path"
error=-13 profile="/usr/sbin/httpd-prefork"
-> please add the attach_disconnected flag to the profile

operation="open" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/openssl.cnf"
pid=5279 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0
ouid=0FSUID="root" OUID="root"

-> #include <abstractions/openssl>

operation="signal" profile="/usr/sbin/httpd-prefork" pid=5265
comm="httpd-prefork" requested_mask="send" denied_mask="send" signal=winch
peer="unconfined"

That's strange - the "winch" signal is (according to man 7 signal) "Window
resize signal". I can't imagine why Apache would send such a signal, and unless
you have an idea what's causing this, would recommend not to allow this.

And the winner is...
operation="mknod" profile="/usr/sbin/httpd-prefork"
name="/run/httpd.pid.PVbmMe" pid=5279 comm="httpd-prefork" requested_mask="c"
denied_mask="c" fsuid=0 ouid=0FSUID="root" OUID="root"

which means Apache now uses a mktemp-generated pid filename and can't create
it.
-> /run/httpd.pid.?????? rw,


Correct me if I'm wrong, but - this test uses the
data/apparmor/usr.sbin.httpd-prefork profile in the os-autoinst-distri-opensuse
repo, right?
Therefore I'd argue that this bug is in the openQA test, not in the AppArmor
package ;-)  (I might fix it nevertheless ;-)

You are receiving this mail because: