[Bug 807104] New: 12.3 RC2: apparmor nscd bad profile
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c0
Summary: 12.3 RC2: apparmor nscd bad profile
Classification: openSUSE
Product: openSUSE 12.3
Version: RC 2
Platform: x86-64
OS/Version: Other
Status: NEW
Severity: Major
Priority: P5 - None
Component: AppArmor
AssignedTo: suse-beta@cboltz.de
ReportedBy: carlos.e.r@opensuse.org
QAContact: qa-bugs@suse.de
Found By: ---
Blocker: ---
See changes by the wizard:
#include
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c1
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c2
Carlos Robinson
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c3
Christian Boltz
The change was not mine, it was the yast wizard. Perhaps I did hit "deny" by mistake as the button changed place from one screen to the next in yast.
OK, so it wasn't intentional and it might be better to allow it ;-)
Just run the "update profile" wizard again, there are no complains yet :-?
That's not surprising - as soon as a rule in a profile (allow or deny), you won't be asked again. Hmm, reading your changes again, I see + capability block_suspend, man 7 capabilities says: CAP_BLOCK_SUSPEND (since Linux 3.5) Employ features that can block system suspend (epoll(7) EPOLLWAKEUP, /proc/sys/wake_lock). AJ, is/should nscd seriously be allowed to block suspending? I'm slightly surprised - I wouldn't expect that name service caching needs this... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c4
Andreas Jaeger
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c5
--- Comment #5 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c6
Andreas Jaeger
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c7
Andreas Schwab
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c8
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c9
Andreas Jaeger
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c10
--- Comment #10 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c11
--- Comment #11 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c12
Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c13
--- Comment #13 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c14
--- Comment #14 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c15
--- Comment #15 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c16
--- Comment #16 from Christian Boltz
don't do anything extra for my sake, I'm only testing.
;-) Then I'll do it for the other 99% of the users who never complain or even don't check their audit.log ;-) BTW: You might want to use the apparmor-profiles package from security:apparmor which contains the latest nscd profile.
[ 18.217649] type=1400 audit(1365666572.461:31): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/nscd" pid=596 comm="nscd" pid=596 comm="nscd" capability=36 capname="block_suspend"
block_suspend is also a well-known thing in this bugreport, but after a lot of research (both in bugzilla, see AJ's comment, and with the upstream developers, see summary and IRC log in comment #5) the decision is to deny this capability. Nevertheless, thanks for your testing and feedback! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c17
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c18
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c19
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c20
--- Comment #20 from Christian Boltz
The update to 2.8.2 is no problem, but for the python3- and ruby-apparmor subpackages I would prefer to wait until they are checked in into Factory.
Factory will of course get the updated package first - I thought that's obvious and therefore didn't mention it ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c21
--- Comment #21 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c22
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=807104
https://bugzilla.novell.com/show_bug.cgi?id=807104#c23
--- Comment #23 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com