[Bug 1162277] New: apparmor profiles: use.sbin.nscd profile breaks nscd queries over NIS
http://bugzilla.suse.com/show_bug.cgi?id=1162277 Bug ID: 1162277 Summary: apparmor profiles: use.sbin.nscd profile breaks nscd queries over NIS Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: martin.wilck@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 828723 --> http://bugzilla.suse.com/attachment.cgi?id=828723&action=edit PATCH: apparmor profiles: allow access to /etc/netconfig for nscd I'm using "files nis" for passwd, shadow, and group in nsswitch.conf. I just found that this works for non-local accounts only without nscd: apollon:~ # id hare id: ‘hare’: no such user apollon:~ # systemctl stop nscd apollon:~ # id hare uid=16045(hare) gid=50(suse) groups=50(suse),... apollon:~ # systemctl start nscd apollon:~ # id hare id: ‘hare’: no such user Analysis revealed that this was caused by the apparmor profile usr.sbin.nscd I had indeed seen these messages but didn't realize they meant that no RPC was possible at all.
type=AVC msg=audit(1580402312.471:882): apparmor="DENIED" operation="open" profile="nscd" name="/etc/netconfig" pid=29401 comm="nscd" requested_mask="r" denied_mask="r" fsuid=496 ouid=0 type=AVC msg=audit(1580402312.471:883): apparmor="DENIED" operation="open" profile="nscd" name="/etc/netconfig" pid=29401 comm="nscd" requested_mask="r" denied_mask="r" fsuid=496 ouid=0
Adding "/etc/netconfig r," to the profile resolves the issue. See attached patch. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1162277
http://bugzilla.suse.com/show_bug.cgi?id=1162277#c1
--- Comment #1 from Christian Boltz
http://bugzilla.suse.com/show_bug.cgi?id=1162277
Christian Boltz
http://bugzilla.suse.com/show_bug.cgi?id=1162277
http://bugzilla.suse.com/show_bug.cgi?id=1162277#c2
Martin Wilck
http://bugzilla.suse.com/show_bug.cgi?id=1162277
http://bugzilla.suse.com/show_bug.cgi?id=1162277#c3
--- Comment #3 from Christian Boltz
Indeed, I had /etc/apparmor.d/abstractions/nameservice.rpmnew.
OK, that explains the problem :-)
Maybe I made a mistake back then, by running "zypper up" rather than "dup"?
That shouldn't matter - *.rpmnew files are created by rpm, not zypper. The files in /etc/apparmor.d/ are packaged as "%config(noreplace)", therefore getting *.rpmnew files is not too surprising. However, I'm - like you - surprised that this happened for a file you never touched. AFAIK rpm should silently replace unmodified files with their newer version.
Strange though: I also have
apollon:/etc/apparmor.d # rpm -V apparmor-profiles S.5....T. c /etc/apparmor.d/usr.sbin.nscd
(because I added the netconfig line on Friday)
but I have no "rpmnew" file for this. "zypper in --force apparmor-profiles" doesn not change the situation, still wrong hash, no .rpmnew file. I had to delete the file and reinstall apparmor-profiles.
Is that expected?
You'll need to ask a rpm expert, but my _guess_ is that rpm only creates the *.rpmnew file if the to-be-installed file has a different md5(?)sum that the file in the already installed package (as listed in the rpm database). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1162277
http://bugzilla.suse.com/show_bug.cgi?id=1162277#c4
--- Comment #4 from Martin Wilck
The files in /etc/apparmor.d/ are packaged as "%config(noreplace)", therefore getting *.rpmnew files is not too surprising. However, I'm - like you - surprised that this happened for a file you never touched. AFAIK rpm should silently replace unmodified files with their newer version.
Perhaps I touched the file unknowingly or just forgot about it, it was 3y ago, no clue. What I observed when I checked your suggestion: Warnings about "rpmnew" or "rpmsave" files are visible in /var/log/zypp/history, but not on the command line. So they aren't actual warnings for the end user. This was on current TW.
apollon:/etc/apparmor.d # rpm -V apparmor-profiles S.5....T. c /etc/apparmor.d/usr.sbin.nscd
(because I added the netconfig line on Friday)
but I have no "rpmnew" file for this.
You'll need to ask a rpm expert, but my _guess_ is that rpm only creates the *.rpmnew file if the to-be-installed file has a different md5(?)sum that the file in the already installed package (as listed in the rpm database).
The "S.5....T." above indicates that the MD5sum was indeed wrong. Whatever. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com