[Bug 1219139] New: [Build 20240123] pam 1.6 vs apparmor
https://bugzilla.suse.com/show_bug.cgi?id=1219139 Bug ID: 1219139 Summary: [Build 20240123] pam 1.6 vs apparmor Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://openqa.opensuse.org/tests/3889394/modules/mutt /steps/24 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: openQA Blocker: Yes ## Observation the test sets up a postfix/dovecot mail server and then tries to connect using mutt to it. Since the upgrade to PAM 1.6, this no longer works On a local debug I could identify AppArmor blocking access to two objects while authenticating: type=AVC msg=audit(1706098433.326:138): apparmor="DENIED" operation="exec" class="file" profile="dovecot-auth" name="/usr/sbin/unix_chkpwd" pid=1479 comm="auth" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 type=AVC msg=audit(1706098433.326:139): apparmor="DENIED" operation="open" class="file" profile="dovecot-auth" name="/proc/1478/loginuid" pid=1478 comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 If I tear down AppArmor (aa-teardown) I can successfully login to my test dovecot setup. openQA test in scenario opensuse-Tumbleweed-JeOS-for-kvm-and-xen-x86_64-jeos-extra@64bit_virtio-2G fails in [mutt](https://openqa.opensuse.org/tests/3889394/modules/mutt/steps/24) ## Test suite description Same as jeos, plus some more tests. ## Reproducible Fails since (at least) Build [20240123](https://openqa.opensuse.org/tests/3888714) ## Expected result Last good: [20240122](https://openqa.opensuse.org/tests/3886456) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=JeOS-for-kvm-and-xen&machine=64bit_virtio-2G&test=jeos-extra&version=Tumbleweed) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219139 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |guillaume.gardet@arm.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219139 https://bugzilla.suse.com/show_bug.cgi?id=1219139#c2 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dimstar@opensuse.org Flags| |needinfo?(dimstar@opensuse. | |org) --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Fabian Vogt from comment #1)
The pam changelog contains:
pam_unix: changed to always run the helper to obtain shadow password entries.
So everything which previously opened /etc/shadow directly might now call unix_chkpwd instead. That might affect more than just dovecot.
That's good to know, thanks for pointing it out! Nevertheless, let's start with the actual failure ;-) The denials translate to the following additions in /etc/apparmor.d/usr.lib.dovecot.auth /usr/sbin/unix_chkpwd Px, owner/proc/@{PID}/loginuid r, You'll also need a profile for unix_chkpwd, which I'll steal from the apparmor.d project (please save it as /etc/apparmor.d/unix-chkpwd) --------------------------------------------------------------------------- # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi <abi/4.0>, include <tunables/global> @{exec_path} = /{,usr/}{,s}bin/unix_chkpwd profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd { include <abstractions/base> include <abstractions/nameservice-strict> # To write records to the kernel auditing log. capability audit_write, network netlink raw, @{exec_path} mr, /etc/shadow r, # file_inherit owner /dev/tty@{int} rw, include if exists <local/unix-chkpwd> } --------------------------------------------------------------------------- Can you please test if the dovecot-auth profile addition + this profile fix the authentification? (If you still see denials, please switch the affected profiles to complain mode with aa-complain so that we get everything at once.) For the records: the following profiles read /etc/shadow (via abstractions/authentication): - apparmor.d/usr.lib.dovecot.auth - apparmor.d/usr.lib.dovecot.dovecot-auth - apparmor.d/usr.sbin.dovecot - apparmor.d/usr.sbin.smbd -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219139 https://bugzilla.suse.com/show_bug.cgi?id=1219139#c3 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(dimstar@opensuse. | |org) | --- Comment #3 from Dominique Leuenberger <dimstar@opensuse.org> --- the unix-chkpwd profile is invalid with the version of AppArmor we use: * abi/4.0 => abi/3.0 * abstractions/nameservice-strict -> abstractions/nameservice * reference to int, but never declared (removed that line in my test system) With those changes applied to unix-chkpwd, I can login on the dovecot/POP3 server -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219139 https://bugzilla.suse.com/show_bug.cgi?id=1219139#c6 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Freek de Kruijf from comment #5)
In which snapshot of Tumbleweed will this be available?
SR 1142650 submitted, so - as soon as it gets accepted and the snapshot passes openQA. Until then, feel free to install and test the apparmor-profiles package from security:apparmor as soon as the build finishes in a few minutes. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219139 https://bugzilla.suse.com/show_bug.cgi?id=1219139#c7 --- Comment #7 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1219139) was mentioned in https://build.opensuse.org/request/show/1142650 Factory / apparmor -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219139 https://bugzilla.suse.com/show_bug.cgi?id=1219139#c8 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #8 from Dominique Leuenberger <dimstar@opensuse.org> --- (In reply to OBSbugzilla Bot from comment #7)
This is an autogenerated message for OBS integration: This bug (1219139) was mentioned in https://build.opensuse.org/request/show/1142650 Factory / apparmor
checked in and confirmed by openQA: Previously failing test 'mutt' passes again https://openqa.opensuse.org/tests/3905255#step/mutt/1 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com