http://bugzilla.opensuse.org/show_bug.cgi?id=1120472 http://bugzilla.opensuse.org/show_bug.cgi?id=1120472#c1 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |guillaume.gardet@arm.com Flags| |needinfo?(guillaume.gardet@ | |arm.com) --- Comment #1 from Christian Boltz --- That's interesting[tm], and it looks like openQA found a scenario that I thought would never happen. (Actually I wasn't even aware that we have AppArmor tests in openQA ;-) - thanks to whoever added them!) I just tried to reproduce the issue locally by doing what openQA does, but (un)fortunately aa-logprof "just works" as expected. I have two questions: Is there a way to get the debug log /tmp/apparmor-bugreport-*.txt from openQA? (note that the filename is mktemp-generated) The debug log contains the content of variables etc. and is hopefully helpful to find out what happens. Also, where can I find the source code of the AppArmor tests done by openQA? Maybe there's a detail I missed in the screenshot. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1120472 http://bugzilla.opensuse.org/show_bug.cgi?id=1120472#c3 Guillaume GARDET changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(guillaume.gardet@ | |arm.com) | --- Comment #3 from Guillaume GARDET --- (In reply to Christian Boltz from comment #1)

That's interesting[tm], and it looks like openQA found a scenario that I thought would never happen. (Actually I wasn't even aware that we have AppArmor tests in openQA ;-) - thanks to whoever added them!)

I just tried to reproduce the issue locally by doing what openQA does, but (un)fortunately aa-logprof "just works" as expected.

Since it is only in latest openQA snapshot (20181231), it is not in released Tumbleweed.

I have two questions:

Is there a way to get the debug log /tmp/apparmor-bugreport-*.txt from openQA? (note that the filename is mktemp-generated) The debug log contains the content of variables etc. and is hopefully helpful to find out what happens.

Added in attachment.

Also, where can I find the source code of the AppArmor tests done by openQA? Maybe there's a detail I missed in the screenshot.

You can get by clicking aa_logprof (test title) in openQA: https://openqa.opensuse.org/tests/822549#step/aa_logprof/24 BTW, in latest Tumbleweed snapshot, it seems '/usr/sbin/nscd' has been replaced by just 'nscd'. Not sure if it could be the cause? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1120472 Guillaume GARDET changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |whdu@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1120472 http://bugzilla.opensuse.org/show_bug.cgi?id=1120472#c6 Wnereiz Z changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wnereiz@kawashiro.org --- Comment #6 from Wnereiz Z --- (In reply to Christian Boltz from comment #4)

... To sum it up - the conditions to trigger this error are: - nscd is running under the "wrong" profile name ("/usr/sbin/nscd") and triggered audit.log entries with this profile name - a file "usr.sbin.nscd" file exists (that's the default filename for the /usr/sbin/nscd profile) - in that file, the profile name is _not_ "/usr/sbin/nscd"

The profile in usr.sbin.nscd got a profile name "nscd" (which does not exist before), that maybe the reason why we saw it is on "nscd" in the status. You can check the example /etc/apparmor.d/sbin.klogd I'm going to see how to modify the test script to better match what we want to test. (In reply to Christian Boltz from comment #1)

...

I just tried to reproduce the issue locally by doing what openQA does, but (un)fortunately aa-logprof "just works" as expected.

The current Tumbleweed version has not been rolled to what openQA was running, I guess. You probably need a factory build for testing. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1120472 http://bugzilla.opensuse.org/show_bug.cgi?id=1120472#c12 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(guillaume.gardet@ | |arm.com) --- Comment #12 from Christian Boltz --- This bug is fixed in AppArmor (in Factory / as soon as the next Tumbleweed snapshot gets published). Do you still need to have this bugreport open for the opQA test issues (see the last lines of comment #4), or can I close it? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1120472 http://bugzilla.opensuse.org/show_bug.cgi?id=1120472#c14 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(guillaume.gardet@ | |arm.com) --- Comment #14 from Christian Boltz --- I checked the test results, and I'm still sure it's fixed on the AppArmor side ;-) (also, the failure from comment #0 is completely different from what we see now) The failure in the aa_enforce test is easy to explain: The test uses the packaged nscd profile ("nscd") as you can see in the aa-status output, but when validating the aa-status output, it still looks for "/usr/sbin/nscd". I'll do a pseudo-patch: # Check if /usr/sbin/ntpd is really disabled die "/usr/sbin/nscd should be disabled" - if (script_run("aa-status |grep /usr/sbin/nscd") == 0); + if (script_run("aa-status |grep nscd") == 0); validate_script_output "aa-enforce usr.sbin.nscd", sub { m/Setting.*nscd to enforce mode/; }; validate_script_output "aa-status", sub { - m/\/usr\/sbin\/nscd/; + m/^ *nscd$/; }; Now for the aa_logprof test failure: https://openqa.opensuse.org/tests/827666/file/aa_logprof-audit.log looks like there's still a mixup of the "nscd" and "/usr/sbin/nscd" profile. I see a few log entries about unloading "nscd", but not at the place I'd expect them. Sadly the audit.log doesn't contain hints which test is currently running (I know it's not nice, but an echo $testname >> /var/log/audit/audit.log would help.) I'll try an educated guess: The most likely reason for the aa_logprof test failure is that the "/usr/sbin/nscd" profile (which is generated and loaded in the aa_autodep and aa_genprof test) is still loaded, and nscd is running under that profile, not under "nscd". However, /tmp/apparmor.d/ at this point contains the "nscd" profile - and the audit.log only has entries for the "/usr/sbin/nscd" profile. (I have no idea what $self->aa_tmp_prof_clean does (github link welcome) - but it does for sure not unload the "/usr/sbin/nscd" profile.) To fix this, run the following at the end of the aa_autodep and aa_genprof tests: echo '/usr/sbin/nscd {}' | apparmor_parser -R to unload the "/usr/sbin/nscd" profile. Expected result: no output, $? == 0 Does this help to make the tests green? ;-) -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1120472 http://bugzilla.opensuse.org/show_bug.cgi?id=1120472#c16 --- Comment #16 from lili zhao ---

IMHO there are two things that should be fixed:

a) in AppArmor: I'll either "downgrade" the error to a warning saying Ignoring log event for non-existing profile $name, even if the profile file exists (different profile name?) or simply silently ignore events for non-existing profiles since that is what happens for all non-existing profiles not matching this corner case.

b) in the openQA tests: unload the profile before you delete the profile file to ensure you have a clean test setup:

apparmor_parser -R /tmp/apparmor.d/usr.sbin.nscd rm /tmp/apparmor.d/usr.sbin.nscd cp -a /etc/apparmor.d/ /tmp/apparmor.d/ apparmor_parser -r /tmp/apparmor.d/ # reload profiles

nscd will run unconfined after that, but you are stopping it anyway. (And sadly, openQA will no longer cover that corner case it accidently covered ;-)

Thank you so much for the fixing suggestions for openQA tests, we have opened 2 poo to enhance our test cases. FYI: [sle][security][sle15sp1] apparmor aa_autodep & aa_genprof tests need doing cleanup (https://progress.opensuse.org/issues/45980) [sle][security][sle15sp1] apparmor aa_enforce test needs to be updated to match new behavior in Tumblewwed (https://progress.opensuse.org/issues/45635#change-178487) -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1120472 http://bugzilla.opensuse.org/show_bug.cgi?id=1120472#c19 --- Comment #19 from Christian Boltz --- Manually pasting the update info - one SLE 15 update for AppArmor didn't make it to Leap because of a regression, and the update released yesterday only listed the changes since the SLE-only update in the patchinfo. openSUSE-RU-2019:1063-1: An update that has two recommended fixes can now be installed. Category: recommended (important) Bug References: 1123820,1127073 CVE References: Sources used: openSUSE Leap 15.0 (src): apparmor-2.12.2-lp150.6.11.2, libapparmor-2.12.2-lp150.6.11.2 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1120472 http://bugzilla.opensuse.org/show_bug.cgi?id=1120472#c21 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #21 from Christian Boltz --- The tickets mentioned in comment #16 were both closed a while ago, and the fixes in the AppArmor package were also done. Therefore I'll assume this bug is completely fixed and close it. If you disagree, feel free to reopen. -- You are receiving this mail because: You are on the CC list for the bug.