[Bug 1162277] New: apparmor profiles: use.sbin.nscd profile breaks nscd queries over NIS
http://bugzilla.suse.com/show_bug.cgi?id=1162277 Bug ID: 1162277 Summary: apparmor profiles: use.sbin.nscd profile breaks nscd queries over NIS Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: martin.wilck@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 828723 --> http://bugzilla.suse.com/attachment.cgi?id=828723&action=edit PATCH: apparmor profiles: allow access to /etc/netconfig for nscd I'm using "files nis" for passwd, shadow, and group in nsswitch.conf. I just found that this works for non-local accounts only without nscd: apollon:~ # id hare id: ‘hare’: no such user apollon:~ # systemctl stop nscd apollon:~ # id hare uid=16045(hare) gid=50(suse) groups=50(suse),... apollon:~ # systemctl start nscd apollon:~ # id hare id: ‘hare’: no such user Analysis revealed that this was caused by the apparmor profile usr.sbin.nscd I had indeed seen these messages but didn't realize they meant that no RPC was possible at all.
type=AVC msg=audit(1580402312.471:882): apparmor="DENIED" operation="open" profile="nscd" name="/etc/netconfig" pid=29401 comm="nscd" requested_mask="r" denied_mask="r" fsuid=496 ouid=0 type=AVC msg=audit(1580402312.471:883): apparmor="DENIED" operation="open" profile="nscd" name="/etc/netconfig" pid=29401 comm="nscd" requested_mask="r" denied_mask="r" fsuid=496 ouid=0
Adding "/etc/netconfig r," to the profile resolves the issue. See attached patch. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1162277 http://bugzilla.suse.com/show_bug.cgi?id=1162277#c1 --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> --- Hmm, interesting[tm]. The nscd profile has #include <abstractions/nameservice> and abstractions/nameservice has # libtirpc (used for NIS/YP login) needs this /etc/netconfig r, (sidenote: this will become "/{usr/,}etc/netconfig r," with one of the next tumbleweed snapshots) Therefore I'm surprised that you needed to add "/etc/netconfig r," because it is already in abstractions/nameservice. Can you please check - if you have any *.rpmnew files in /etc/apparmor.d/ or its subdirectories - run rpm -V apparmor-profiles apparmor-abstractions to check for modified files -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1162277 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.wilck@suse.com Flags| |needinfo?(martin.wilck@suse | |.com) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1162277 http://bugzilla.suse.com/show_bug.cgi?id=1162277#c2 Martin Wilck <martin.wilck@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID Flags|needinfo?(martin.wilck@suse | |.com) | --- Comment #2 from Martin Wilck <martin.wilck@suse.com> --- Indeed, I had /etc/apparmor.d/abstractions/nameservice.rpmnew. And actually, I've had this file for 3 years: 2016-11-25 09:04:50|command|root@apollon.suse.de|'zypper' 'up'| # 2016-11-25 09:04:53 apparmor-abstractions-2.10.1-5.1.noarch.rpm installed ok # Additional rpm output: # warning: /etc/apparmor.d/abstractions/nameservice created as /etc/apparmor.d/abstractions/nameservice.rpmnew # redirecting to systemctl reload apparmor.service # 2016-11-25 09:04:53|install|apparmor-abstractions|2.10.1-5.1|noarch||openSUSE-20160701-0|07801683ccd90ddec1516349e68fc0935a68d94a| I swear I've never touched that file consciously. I never new it even existed, in particular not in 2016 when I was still a novice TW user. But yeah, I must have ignored these messages for some time. My bad, then. Maybe I made a mistake back then, by running "zypper up" rather than "dup"? The bug can be closed, sorry. Strange though: I also have apollon:/etc/apparmor.d # rpm -V apparmor-profiles S.5....T. c /etc/apparmor.d/usr.sbin.nscd (because I added the netconfig line on Friday) but I have no "rpmnew" file for this. "zypper in --force apparmor-profiles" doesn not change the situation, still wrong hash, no .rpmnew file. I had to delete the file and reinstall apparmor-profiles. Is that expected? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1162277 http://bugzilla.suse.com/show_bug.cgi?id=1162277#c3 --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Martin Wilck from comment #2)
Indeed, I had /etc/apparmor.d/abstractions/nameservice.rpmnew.
OK, that explains the problem :-)
Maybe I made a mistake back then, by running "zypper up" rather than "dup"?
That shouldn't matter - *.rpmnew files are created by rpm, not zypper. The files in /etc/apparmor.d/ are packaged as "%config(noreplace)", therefore getting *.rpmnew files is not too surprising. However, I'm - like you - surprised that this happened for a file you never touched. AFAIK rpm should silently replace unmodified files with their newer version.
Strange though: I also have
apollon:/etc/apparmor.d # rpm -V apparmor-profiles S.5....T. c /etc/apparmor.d/usr.sbin.nscd
(because I added the netconfig line on Friday)
but I have no "rpmnew" file for this. "zypper in --force apparmor-profiles" doesn not change the situation, still wrong hash, no .rpmnew file. I had to delete the file and reinstall apparmor-profiles.
Is that expected?
You'll need to ask a rpm expert, but my _guess_ is that rpm only creates the *.rpmnew file if the to-be-installed file has a different md5(?)sum that the file in the already installed package (as listed in the rpm database). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1162277 http://bugzilla.suse.com/show_bug.cgi?id=1162277#c4 --- Comment #4 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Christian Boltz from comment #3)
The files in /etc/apparmor.d/ are packaged as "%config(noreplace)", therefore getting *.rpmnew files is not too surprising. However, I'm - like you - surprised that this happened for a file you never touched. AFAIK rpm should silently replace unmodified files with their newer version.
Perhaps I touched the file unknowingly or just forgot about it, it was 3y ago, no clue. What I observed when I checked your suggestion: Warnings about "rpmnew" or "rpmsave" files are visible in /var/log/zypp/history, but not on the command line. So they aren't actual warnings for the end user. This was on current TW.
apollon:/etc/apparmor.d # rpm -V apparmor-profiles S.5....T. c /etc/apparmor.d/usr.sbin.nscd
(because I added the netconfig line on Friday)
but I have no "rpmnew" file for this.
You'll need to ask a rpm expert, but my _guess_ is that rpm only creates the *.rpmnew file if the to-be-installed file has a different md5(?)sum that the file in the already installed package (as listed in the rpm database).
The "S.5....T." above indicates that the MD5sum was indeed wrong. Whatever. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com