[Bug 1119937] New: apparmor sendmsg denied / nfs: rpc call returned error 13
http://bugzilla.opensuse.org/show_bug.cgi?id=1119937 Bug ID: 1119937 Summary: apparmor sendmsg denied / nfs: rpc call returned error 13 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: per@computer.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I have just 30mins ago updated a webserver which is on Leap15 on nfs root on real iron. Now I'm seeing an increasing number of $SUBJ. Kernel is the latest, 4.12.14-lp150.12.28-default. A simple thing such as : # less srv003057/logs/access-log-20181206.gz /usr/bin/lessopen.sh: line 31: mktemp: command not found "srv003057/logs/access-log-20181206.gz" may be a binary file. See it anyway? or # less srv003057/logs/access-log-20181206.gz /usr/bin/lessopen.sh: line 14: /usr/bin/grep: Permission denied /usr/bin/lessopen.sh: line 31: mktemp: command not found grep and mktemp are both present, but $SUBJ gets in the way. The NFS server was not changed, it's quite ancient. It looks like this happens with kernel 4.12.14-lp150.12.28 and 4.12.14-lp150.12.25, but with 4.12.14-lp150.12.16 there is no problem. Apparmor ? Yes indeed - type=AVC msg=audit(1545211515.082:140): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=4077 comm="lessopen.sh" laddr=10.42.8.240 lport=980 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6 type=AVC msg=audit(1545211515.082:141): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=4077 comm="lessopen.sh" laddr=10.42.8.240 lport=980 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6 type=AVC msg=audit(1545210738.216:264): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=5074 comm="grep" laddr=10.42.8.240 lport=795 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6 type=AVC msg=audit(1545210738.216:265): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=5074 comm="grep" laddr=10.42.8.240 lport=795 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6 I guess this "sendmsg" restriction is new in the most recent kernels? See also https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1119937
http://bugzilla.opensuse.org/show_bug.cgi?id=1119937#c1
--- Comment #1 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1119937
http://bugzilla.opensuse.org/show_bug.cgi?id=1119937#c4
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1119937
http://bugzilla.opensuse.org/show_bug.cgi?id=1119937#c9
--- Comment #9 from Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com