[Bug 1219401] New: [Build 20240130] openssl packaging changes require apparmor profile update
https://bugzilla.suse.com/show_bug.cgi?id=1219401 Bug ID: 1219401 Summary: [Build 20240130] openssl packaging changes require apparmor profile update Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://openqa.opensuse.org/tests/3906242/modules/apac he2_changehat/steps/115 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AutoYaST Assignee: yast2-maintainers@suse.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: openQA Blocker: Yes ## Observation type=AVC msg=audit(1706694192.948:964): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/engines3.d/" pid=16836 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706694192.948:965): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/engdef3.d/" pid=16836 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=SERVICE_START msg=audit(1706694192.955:966): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=apache2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=BPF msg=audit(1706694217.958:967): prog-id=186 op=LOAD type=BPF msg=audit(1706694217.958:968): prog-id=187 op=LOAD type=BPF msg=audit(1706694217.958:969): prog-id=188 op=LOAD type=SERVICE_START msg=audit(1706694218.088:970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1706694248.192:971): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor_profile@64bit fails in [apache2_changehat](https://openqa.opensuse.org/tests/3906242/modules/apache2_changehat/steps/11...) ## Test suite description Maintained by QE Security ## Reproducible Fails since (at least) Build [20240123](https://openqa.opensuse.org/tests/3888806) ## Expected result Last good: [20240122](https://openqa.opensuse.org/tests/3886273) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=apparmor_profile&version=Tumbleweed) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219401 https://bugzilla.suse.com/show_bug.cgi?id=1219401#c1 --- Comment #1 from Dominique Leuenberger <dimstar@opensuse.org> --- Also seen type=AVC msg=audit(1706695132.222:893): apparmor="DENIED" operation="open" class="file" profile="dovecot-pop3-login" name="/etc/ssl/engines3.d/" pid=13622 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1706695132.222:894): apparmor="DENIED" operation="open" class="file" profile="dovecot-pop3-login" name="/etc/ssl/engdef3.d/" pid=13622 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=USER_AUTH msg=audit(1706695136.349:895): pid=13625 uid=0 auid=4294967295 ses=4294967295 subj=dovecot-auth msg='op=PAM:authentication grantors=pam_gnome_keyring,pam_unix acct="recipient" exe="/usr/lib/dovecot/auth" hostname=::1 addr=::1 terminal=dovecot res=success' type=USER_ACCT msg=audit(1706695136.349:896): pid=13625 uid=0 auid=4294967295 ses=4294967295 subj=dovecot-auth msg='op=PAM:accounting grantors=pam_unix acct="recipient" exe="/usr/lib/dovecot/auth" hostname=::1 addr=::1 terminal=dovecot res=success' -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219401 https://bugzilla.suse.com/show_bug.cgi?id=1219401#c4 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dimstar@opensuse.org Flags| |needinfo?(dimstar@opensuse. | |org) --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> --- Read access to the directory /etc/ssl/engines3.d/ looks like half of the story. The other half is. - Which files will live in this directory - certs, keys, or both? - Is there a naming pattern for the files, or do we need to allow "*"? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219401 https://bugzilla.suse.com/show_bug.cgi?id=1219401#c7 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|NEW |RESOLVED --- Comment #7 from Christian Boltz <suse-beta@cboltz.de> --- Thanks for all the details. In the meantime, I got another report for the same denials - and just accepted the SR with the fix. *** This bug has been marked as a duplicate of bug 1219571 *** -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com