[Bug 990724] New: libselinux 2.5 causes AppArmor denials for capability sys_admin for lots of binaries
http://bugzilla.opensuse.org/show_bug.cgi?id=990724 Bug ID: 990724 Summary: libselinux 2.5 causes AppArmor denials for capability sys_admin for lots of binaries Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: SUSE Other Status: NEW Severity: Critical Priority: P5 - None Component: Security Assignee: jsegitz@novell.com Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de CC: i@marguerite.su, security-team@suse.de Found By: Beta-Customer Blocker: --- The latest libselinux update (2.3 -> 2.5) causes AppArmor denials for capability sys_admin in simple binaries like logger, sed and find - and I'm quite sure those programs should _not_ do CAP_SYS_ADMIN stuff... This can be easily reproduced by su # this only happens as root echo foo | logger audit.log will show a denial afterwards: type=AVC msg=audit(1469558131.006:2201): apparmor="DENIED" operation="capable" profile="/{usr/,}bin/logger" pid=9610 comm="logger" capability=21 capname="sys_admin" I built 2.3 packages based on the previous version in Tumbleweed, and they solve the problem, so this is clearly a regression between 2.3 and 2.5. You can find the 2.3 packages in OBS home:cboltz:branches:openSUSE:Factory/libselinux I'm rating this bug as critical because it could trick people into adding the sys_admin capability to lots of profiles, and sys_admin is one of the most powerful capabilities and should only be allowed if really needed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=990724
http://bugzilla.opensuse.org/show_bug.cgi?id=990724#c1
Johannes Segitz
http://bugzilla.opensuse.org/show_bug.cgi?id=990724
http://bugzilla.opensuse.org/show_bug.cgi?id=990724#c2
--- Comment #2 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=990724
http://bugzilla.opensuse.org/show_bug.cgi?id=990724#c3
--- Comment #3 from Johannes Segitz
http://bugzilla.opensuse.org/show_bug.cgi?id=990724
http://bugzilla.opensuse.org/show_bug.cgi?id=990724#c4
--- Comment #4 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=990724
Victor Pereira
http://bugzilla.opensuse.org/show_bug.cgi?id=990724
http://bugzilla.opensuse.org/show_bug.cgi?id=990724#c5
Johannes Segitz
participants (1)
-
bugzilla_noreply@novell.com