[Bug 310260] New: AppArmor parser error CAP_INVALID-CAPABILITY
https://bugzilla.novell.com/show_bug.cgi?id=310260 Summary: AppArmor parser error CAP_INVALID-CAPABILITY Product: openSUSE 10.2 Version: Final Platform: i586 OS/Version: openSUSE 10.2 Status: NEW Keywords: security_vulnerability Severity: Critical Priority: P5 - None Component: AppArmor AssignedTo: apparmor-dev@forge.novell.com ReportedBy: plaugraud@a1.net QAContact: dreynolds@novell.com Found By: --- The Update Profile Wizard shows an "invalid-capability" like: ----- Profil /usr/sbin/sshd [or] /opt/kde3/bin/kdm Funktion invalid-capability Sicherheit unexpected capability rank input: CAP_INVALID-CAPABILITY ----- If you say "allow" after then in the profile is stored the following statement: "capability invalid-capability," After reloading AppArmor the parser runs in an error: ----- b2bserver1:~ # rcapparmor reload Reloading AppArmor profiles AppArmor parser error in /etc/apparmor.d/usr.sbin.sshd at line 425: Found unexpected keyword: 'invalid' Profile /etc/apparmor.d/usr.sbin.sshd failed to load failed ----- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=310260#c1
Dominic Reynolds
https://bugzilla.novell.com/show_bug.cgi?id=310260#c2
--- Comment #2 from Seth Arnold
https://bugzilla.novell.com/show_bug.cgi?id=310260#c3
Dominic Reynolds
https://bugzilla.novell.com/show_bug.cgi?id=310260#c4
John Johansen
Yes. These capabilities are in the parser. The severity.pm needs an update but I think that we are missing the kernel pieces for this for 10.2.
JJ: is that correct?
Yes we need the kernel patch in 10.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=310260#c5
Steven Beattie
https://bugzilla.novell.com/show_bug.cgi?id=310260#c6
--- Comment #6 from Rudolf M.
https://bugzilla.novell.com/show_bug.cgi?id=310260#c7
--- Comment #7 from Rudolf M.
Do you have the /var/log/audit.log from this system. I'd like to use that for debugging purposes.
Hello, I've the audit log submitted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=310260#c8
--- Comment #8 from Rudolf M.
In the short term, you can fix your sshd and kdm policies (located in /etc/apparmor.d) by replacing the line
capability invalid-capability,
with
capability audit_write,
and then do '/sbin/rcapparmor restart' (and probably restart sshd to ensure that the policy has been applied).
Hi, changing to "capability audit_write" has no effect. The same error occurs: unexpected capability rank input: CAP_INVALID-CAPABILITY Regards, Rudolf. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=310260#c9
--- Comment #9 from Dominic Reynolds
https://bugzilla.novell.com/show_bug.cgi?id=310260#c10
--- Comment #10 from Seth Arnold
https://bugzilla.novell.com/show_bug.cgi?id=310260#c11
Jesse Michael
https://bugzilla.novell.com/show_bug.cgi?id=310260#c12
Rudolf M.
https://bugzilla.novell.com/show_bug.cgi?id=310260#c14
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=310260
Michal Svec
participants (1)
-
bugzilla_noreply@novell.com