[Bug 647718] New: type=APPARMOR_DENIED msg=audit(1286895153.120:12): operation="mkdir" pid=2218 parent=2217 profile="/usr/sbin/nscd" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/run/nscd/"
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c0 Summary: type=APPARMOR_DENIED msg=audit(1286895153.120:12): operation="mkdir" pid=2218 parent=2217 profile="/usr/sbin/nscd" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/run/nscd/" Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: per@opensuse.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 The summary line is from /var/log/audit/audit.log, I'm sure it says it all. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c1 --- Comment #1 from Per Jessen <per@opensuse.org> 2010-10-19 15:04:03 UTC --- After checking /etc/apparmor.d/usr.sbin.nscd, I fixed the issue by manually creating /var/run/nscd. Maybe the nscd package needs an update? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c2 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@novell.com, | |security-team@suse.de AssignedTo|jeffm@novell.com |pbaudis@novell.com --- Comment #2 from Marcus Meissner <meissner@novell.com> 2010-10-19 21:07:41 UTC --- no, the apparmor profile needs an update to allow this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c3 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jeffm@novell.com --- Comment #3 from Jeff Mahoney <jeffm@novell.com> 2010-10-19 21:24:54 UTC --- Depending on which implementation of nscd, it either goes in the package or the apparmor package. We should really clean that up. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c4 Petr Baudis <pbaudis@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |per@opensuse.org --- Comment #4 from Petr Baudis <pbaudis@novell.com> 2010-10-27 02:22:40 UTC --- Per, not really. :) Are you using unscd or nscd? Can you still reproduce this? After quick conversation with AJ, I submitted another unscd with fixed profile a while ago. (No idea how could it ever work before.) Jeff, that's true. I'm fine with just carrying usr.sbin.nscd in nscd package of glibc too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c5 Per Jessen <per@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|per@opensuse.org | --- Comment #5 from Per Jessen <per@opensuse.org> 2010-10-27 13:04:42 UTC --- Hi Petr - I'm running unscd, the default on 11.3. I guess I could reproduce it if I removed /var/run/nscd again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c6 --- Comment #6 from Petr Baudis <pbaudis@novell.com> 2010-10-27 16:01:51 UTC --- Oh, I'm sorry, somehow I mislooked and thought this is on Factory. I will check this and prepare an update, I guess the same fix as for Factory is required. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c8 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> 2011-08-21 15:48:37 CEST --- On 11.4, /var/run/nscd/ is owned by nscd-2.11.3-12.17.1.x86_64 - which means the profile wouldn't need to be changed. OTOH, I seem to remember that (/var)/run is a tmpfs in Factory, which means /var/run/nscd/ needs to be created by the initscript or by nscd itsself. Petr, what's the result of checking this in Factory? ;-) Nevertheless: The following patch is against the profile in AppArmor 2.7 beta1. (If it is still required for Factory, I can submit it upstream.) # cat apparmor-profiles-nscd-bnc647718.diff === modified file 'profiles/apparmor.d/usr.sbin.nscd' --- profiles/apparmor.d/usr.sbin.nscd 2011-07-14 12:57:57 +0000 +++ profiles/apparmor.d/usr.sbin.nscd 2011-08-21 13:41:13 +0000 @@ -28,7 +28,7 @@ /var/lib/samba/winbindd_privileged/pipe rw, /{,var/}run/.nscd_socket wl, /{,var/}run/avahi-daemon/socket w, - /{,var/}run/nscd/ r, + /{,var/}run/nscd/ rw, /{,var/}run/nscd/db* wl, /{,var/}run/nscd/socket wl, /var/{cache,run}/nscd/{passwd,group,services,hosts} rw, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |pbaudis@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c9 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|pbaudis@novell.com |aj@novell.com --- Comment #9 from Marcus Meissner <meissner@novell.com> 2011-08-22 06:59:12 UTC --- petr is no longer working here. needinfo aj (opensuse glibc maintainer) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c10 Andreas Jaeger <aj@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|aj@novell.com |suse-beta@cboltz.de AssignedTo|jeffm@novell.com |aj@novell.com --- Comment #10 from Andreas Jaeger <aj@novell.com> 2011-08-22 13:17:04 UTC --- Christian, could you send me the complete AppArmor profile. It really needed updating in the glibc package. I'm taking the bug now for glibc. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c11 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|suse-beta@cboltz.de | --- Comment #11 from Christian Boltz <suse-beta@cboltz.de> 2011-08-22 18:07:17 CEST --- I can, but first I'd like to know if /{,var/}run/nscd/ rw, is still needed in Factory (see comment #8 for details). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c12 --- Comment #12 from Andreas Jaeger <aj@novell.com> 2011-08-22 19:43:53 UTC --- Right now it's needed, it really depends on making systemd the only way or not. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c13 --- Comment #13 from Christian Boltz <suse-beta@cboltz.de> 2011-08-23 01:27:25 CEST --- Created an attachment (id=447060) --> (http://bugzilla.novell.com/attachment.cgi?id=447060) usr.sbin.nscd profile This is the usr.sbin.nscd profile which I also just commited upstream (will be in AppArmor 2.7 beta2). That said: Please find a way to get the profile automatically updated. Moving it to the apparmor-profiles package might be the easiest solution, because this package is built from the upstream sources anyway. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c14 --- Comment #14 from Andreas Jaeger <aj@novell.com> 2011-08-23 18:51:52 UTC --- Christian, I can easily drop the profile from glibc. Right now both glibc and unscd have their own version of usr.sbin.nscd - since they are different implementations. So, how should we do it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c15 --- Comment #15 from Christian Boltz <suse-beta@cboltz.de> 2011-08-23 22:11:26 CEST --- I just checked the profile in the unscd package - the only real difference in unscd are those additional lines: capability setgid, capability setuid, I'll try to get them upstream (patch sent), and when this is done, Jeff can add the profile to the apparmor-profiles package and you can remove it from glibc/nscd and unscd. Since this will probably need some time, please update the profile in the glibc package a last time ;-) and then assign this bug to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c16 --- Comment #16 from Christian Boltz <suse-beta@cboltz.de> 2011-08-24 01:52:51 CEST --- Merged profile will be in AppArmor 2.7 beta2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c17 Andreas Jaeger <aj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@suse.com AssignedTo|aj@suse.com |suse-beta@cboltz.de --- Comment #17 from Andreas Jaeger <aj@suse.com> 2011-08-25 11:27:12 UTC --- Thanks Christian! glibc is updated, I'm pushing to factory now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c18 --- Comment #18 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-08-25 12:00:09 UTC --- This is an autogenerated message for OBS integration: This bug (647718) was mentioned in https://build.opensuse.org/request/show/79752 Factory / glibc -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c18 --- Comment #18 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-08-25 14:00:09 CEST --- This is an autogenerated message for OBS integration: This bug (647718) was mentioned in https://build.opensuse.org/request/show/79752 Factory / glibc -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c19 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #19 from Christian Boltz <suse-beta@cboltz.de> 2011-09-16 21:01:09 CEST --- SRs to remove the apparmor profile from the glibc (SR 82535) and unscd (SR 82536) package sent. The profile is now packaged in the apparmor-profiles package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=647718 https://bugzilla.novell.com/show_bug.cgi?id=647718#c20 --- Comment #20 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-19 11:00:10 CEST --- This is an autogenerated message for OBS integration: This bug (647718) was mentioned in https://build.opensuse.org/request/show/83382 Factory / unscd -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com