[Bug 1219335] New: [AppArmor] AVC denials for zgrep
https://bugzilla.suse.com/show_bug.cgi?id=1219335 Bug ID: 1219335 Summary: [AppArmor] AVC denials for zgrep Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: antonio.feijoo@suse.com QA Contact: qa-bugs@suse.de CC: ddiss@suse.com Target Milestone: --- Found By: --- Blocker: --- Default Tumbleweed installation with AppArmor and kernel 6.8-rc1 from https://build.opensuse.org/package/show/Kernel:HEAD/kernel-default, getting AVC denials using `zgrep`. It does not happen with kernel 6.6.9-1-default.
localhost:/home/dev # uname -r 6.8.0-rc1-4.gc619505-default localhost:/home/dev # dracut -f --stdlog 3 test.img /usr/bin/zgrep: line 210: /usr/bin/grep: Permission denied /usr/bin/zgrep: line 280: /usr/bin/gzip: Permission denied /usr/bin/zgrep: line 295: /usr/bin/grep: Permission denied /usr/bin/zgrep: line 210: /usr/bin/grep: Permission denied /usr/bin/zgrep: line 280: /usr/bin/gzip: Permission denied /usr/bin/zgrep: line 295: /usr/bin/grep: Permission denied localhost:/home/dev # zgrep CONFIG_BTRFS /proc/config.gz /bin/zgrep: line 210: /usr/bin/grep: Permission denied /bin/zgrep: line 280: /bin/gzip: Permission denied /bin/zgrep: line 295: /usr/bin/grep: Permission denied localhost:/home/dev # grep zgrep /var/log/audit/audit.log ... type=AVC msg=audit(1706603114.661:248): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7356 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.661:249): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7356 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.664:250): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7360 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.664:251): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7360 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.664:252): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7361 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.664:253): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7361 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.674:254): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7368 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.674:255): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7368 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.678:256): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7372 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.678:257): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=7372 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.678:258): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7373 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603114.678:259): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=7373 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603135.285:260): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10315 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603135.285:261): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10315 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603135.291:262): apparmor="DENIED" operation="capable" class="cap" profile="zgrep" pid=10317 comm="zgrep" capability=2 capname="dac_read_search" type=AVC msg=audit(1706603135.291:263): apparmor="DENIED" operation="capable" class="cap" profile="zgrep" pid=10317 comm="zgrep" capability=1 capname="dac_override" type=AVC msg=audit(1706603135.291:264): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=10319 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603135.291:265): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/gzip" pid=10319 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603135.291:266): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10320 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706603135.291:267): apparmor="DENIED" operation="open" class="file" profile="zgrep" name="/usr/bin/grep" pid=10320 comm="zgrep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219335 https://bugzilla.suse.com/show_bug.cgi?id=1219335#c1 Antonio Feijoo <antonio.feijoo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|NEW |RESOLVED --- Comment #1 from Antonio Feijoo <antonio.feijoo@suse.com> --- Somehow this issue cannot be reproduced with 6.8.0-rc3-1.gae4495f-default, hence closing as invalid. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com