[Bug 1089594] New: AppArmor profile for updatedb
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594 Bug ID: 1089594 Summary: AppArmor profile for updatedb Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: openSUSE 42.2 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: tchvatal@suse.com Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de Found By: Beta-Customer Blocker: --- Created attachment 767160 --> http://bugzilla.opensuse.org/attachment.cgi?id=767160&action=edit AppArmor profile for updatedb As mentioned in bug 727971, here's an AppArmor profile for updatedb. Creating that profile was simple and boring ;-) Can you please test it before we package it? Save the attached profile as /etc/apparmor.d/usr.bin.updatedb, run "rcapparmor reload" and then run updatedb and/or wait for the cronjob to run. Afterwards, check your audit.log if there are any denials. Note that the profile will need some polishing before we package it (for example a small copyright header and a local/ include), but that shouldn't stop you from testing ;-) Also note that I only tested with manually running updatedb as "nobody" - I was too impatient to wait for the cronjob ;-) Testing as root might also be a good idea. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594#c1
--- Comment #1 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594#c2
Tomáš Chvátal
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594#c4
--- Comment #4 from Christian Boltz
Testing as root might also be a good idea.
Sometimes I hate if I'm right ;-) I'll paste what I just sent to opensuse-support@ after someone who runs updatedb as root found some problems: ------------------------------------------------------------------------ Am Samstag, 9. Juni 2018, 20:58:17 CEST schrieb ellanios82:
type=AVC msg=audit(1528570244.906:176): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=1 capname="dac_override" type=AVC msg=audit(1528570244.946:177): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=2 capname="dac_read_search" type=AVC msg=audit(1528570244.954:178): apparmor="ALLOWED" operation="capable" profile="/usr/bin/updatedb" pid=18558 comm="updatedb" capability=3 capname="fowner"
This means the AppArmor profile for updatedb needs the following additions: capability dac_override, # maybe not, see below. capability dac_read_search, capability fowner, I was able to reproduce this with RUN_UPDATEDB_AS=root in /etc/sysconfig/locate One interesting detail is that I got a denial for dac_override only once, and even that surprises me - updatedb cares about directory content (which might need dac_read_search), but I have no idea why it would need dac_override. ------------------------------------------------------------------------ IMHO we should try to avoid allowing dac_override unless really needed. Do you have an idea why it might be needed, and why only once after switching to RUN_UPDATEDB_AS=root? (switching around between nobody and root afterwards doesn't trigger any dac_override denials) In case it matters: I tested by running /etc/cron.daily/mlocate.cron -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594#c5
Tony Su
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594#c6
--- Comment #6 from Christian Boltz
https://forums.opensuse.org/showthread.php/532754- updatedb?p=2878040#post2878040
Could this re-occurance be similar enough to also be an AppArmor problem of some sort?
Do you see AppArmor-related lines in your /var/log/audit/audit.log? Please grep updatedb /var/log/audit/audit.log If you don't use auditd, please check your syslog, journal or the dmesg output for messages about updatedb. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594#c8
--- Comment #8 from Christian Boltz
Is there something wrong with the profile?
Yes, see comment #4 ;-) If possible, I'd prefer to avoid adding "capability dac_override," - so please test if adding dac_read_search and fowner is enough, or if dac_override is really needed. If dac_override is not needed, we should consider "deny capability dac_override," to silence the logging. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594#c10
--- Comment #10 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594
Emr Rec
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594
http://bugzilla.opensuse.org/show_bug.cgi?id=1089594#c16
Peter Simons
participants (1)
-
bugzilla_noreply@novell.com