https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c1 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |carlos.e.r@opensuse.org --- Comment #1 from Christian Boltz 2013-03-02 01:03:34 CET --- Thanks for your report! One question: you added deny /proc/sys/vm/overcommit_memory r, Is there a special reason why you don't want to allow nscd to read /proc/sys/vm/overcommit_memory? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c3 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |aj@suse.com --- Comment #3 from Christian Boltz 2013-03-02 12:54:45 CET --- (In reply to comment #2)

The change was not mine, it was the yast wizard. Perhaps I did hit "deny" by mistake as the button changed place from one screen to the next in yast.

OK, so it wasn't intentional and it might be better to allow it ;-)

Just run the "update profile" wizard again, there are no complains yet :-?

That's not surprising - as soon as a rule in a profile (allow or deny), you won't be asked again. Hmm, reading your changes again, I see + capability block_suspend, man 7 capabilities says: CAP_BLOCK_SUSPEND (since Linux 3.5) Employ features that can block system suspend (epoll(7) EPOLLWAKEUP, /proc/sys/wake_lock). AJ, is/should nscd seriously be allowed to block suspending? I'm slightly surprised - I wouldn't expect that name service caching needs this... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c5 --- Comment #5 from Christian Boltz 2013-03-05 01:56:25 CET --- Created an attachment (id=528074) --> (http://bugzilla.novell.com/attachment.cgi?id=528074) IRC log from #apparmor This bug is very interesting[tm] and I was able to keep up to 3 AppArmor developers busy for some hours to debug this ;-) I found out that nscd requests block_suspend _on exit_. I was able to trigger a DENIED message with "rcnscd stop" - but it doesn't happen every time, you might need to try 5 or 10 times. (Of course, you always have to start nscd before stopping it ;-) When block_suspend was DENIED, I also got this log line: type=SYSCALL msg=audit(1362440326.547:629): arch=c000003e syscall=233 success=yes exit=0 a0=10 a1=2 a2=11 a3=0 items=0 ppid=1 pid=15656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="nscd" exe="/usr/sbin/nscd" key=(null) <jjohansen> this is definitely happening in epoll_ctl syscall so it is cap BLOCK_SUSPEND, we just haven't established why EPOLLWAKEUP is set, whether its intentional or not properly cleared mem AJ, I'm attaching the IRC log - if you want to dig into this, you'll find some technical details in it. (Probably the last ~50 lines are the most interesting part for you.) That said, I'll add + deny capability block_suspend, to the profile to _deny_ the capability (since not only you were surprised it's needed) to silence the log. Any objections? I also noticed that some read permissions were missing: - /{,var/}run/nscd/db* wl, + /{,var/}run/nscd/db* rwl, and will of course add access to /var/run/nscd/netgroup: - /var/{cache,run}/nscd/{passwd,group,services,hosts} rw, + /var/{cache,run}/nscd/{passwd,group,services,hosts,netgroup} rw, I'll also add + /proc/sys/vm/overcommit_memory r, even if I couldn't trigger a DENIED for it while restarting and using (with various name lookups) nscd, but I've seen it in my logs from january. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c7 Andreas Schwab changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|schwab@suse.com | --- Comment #7 from Andreas Schwab 2013-03-05 11:50:49 CET --- I don't know anything about apparmor. But comment #4 appears to be accurate. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c9 Andreas Jaeger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|aj@suse.com | --- Comment #9 from Andreas Jaeger 2013-03-05 18:52:22 UTC --- No, I won't investigate this right now. Andreas Schwab might - he's taking over glibc maintainership... Btw. a grep through glibc sources for epoll_ctl shows: ./nscd/connections.c: if (epoll_ctl (efd, EPOLL_CTL_ADD, sock, &ev) == -1) ./nscd/connections.c: if (epoll_ctl (efd, EPOLL_CTL_ADD, inotify_fd, &ev) == -1) ./nscd/connections.c: if (epoll_ctl (efd, EPOLL_CTL_ADD, nl_status_fd, &ev) == -1) ./nscd/connections.c: || epoll_ctl (efd, EPOLL_CTL_ADD, fd, &ev) == -1) ./nscd/connections.c: (void) epoll_ctl (efd, EPOLL_CTL_DEL, inotify_fd, ./nscd/connections.c: (void) epoll_ctl (efd, EPOLL_CTL_DEL, revs[cnt].data.fd, NULL); ./nscd/connections.c: (void) epoll_ctl (efd, EPOLL_CTL_DEL, cnt, NULL); -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c11 --- Comment #11 from Bernhard Wiedemann 2013-03-05 23:00:07 CET --- This is an autogenerated message for OBS integration: This bug (807104) was mentioned in https://build.opensuse.org/request/show/157433 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c13 --- Comment #13 from Per Jessen 2013-04-10 09:08:14 UTC --- Additionally during a restart of nscd: type=1400 audit(1365584764.234:34): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/nscd" name="/var/run/nscd/netgroup" pid=3273 comm="nscd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c15 --- Comment #15 from Per Jessen 2013-04-11 08:00:00 UTC --- Hi Christian don't do anything extra for my sake, I'm only testing. For other reasons, I installed kernel 3.8.6-2 from Kernel:Stable, which revealed another couple of nscd/apparmor warnings: [ 18.217649] type=1400 audit(1365666572.461:31): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/nscd" pid=596 comm="nscd" pid=596 comm="nscd" capability=36 capname="block_suspend" [ 18.221306] type=1400 audit(1365666572.465:32): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/nscd" pid=596 comm="nscd" pid=596 comm="nscd" capability=36 capname="block_suspend" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c17 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |conrad-novell.com@quisquis. | |de --- Comment #17 from Christian Boltz 2013-06-12 17:27:54 CEST --- *** Bug 824577 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=824577 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c19 Benjamin Brunner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |bbrunner@suse.com, | |meissner@suse.com InfoProvider|maintenance@opensuse.org | --- Comment #19 from Benjamin Brunner 2013-06-14 07:59:01 CEST --- The update to 2.8.2 is no problem, but for the python3- and ruby-apparmor subpackages I would prefer to wait until they are checked in into Factory. I added Marcus to the cc-list if he has any objections or suggestions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c21 --- Comment #21 from Bernhard Wiedemann 2013-10-20 20:00:24 CEST --- This is an autogenerated message for OBS integration: This bug (807104) was mentioned in https://build.opensuse.org/request/show/204052 12.2+12.3 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=807104 https://bugzilla.novell.com/show_bug.cgi?id=807104#c23 --- Comment #23 from Swamp Workflow Management 2013-10-28 12:06:31 UTC --- openSUSE-RU-2013:1588-1: An update that has 7 recommended fixes can now be installed. Category: recommended (low) Bug References: 777471,798183,807104,822277,824577,845867,846054 CVE References: Sources used: openSUSE 12.3 (src): apparmor-2.8.2-3.4.1 openSUSE 12.2 (src): apparmor-2.8.2-2.11.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.