https://bugzilla.novell.com/show_bug.cgi?id=408877 Summary: logprof drops the complain flag from subprofiles Product: openSUSE 11.0 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: AppArmor AssignedTo: jjohansen@novell.com ReportedBy: poeml@novell.com QAContact: qa@suse.de Found By: --- I set a profile (/usr/sbin/sshd) into complain mode (with the 'complain' tool), which added the flag to all profiles: =================================================================== --- usr.sbin.sshd (revision 61) +++ usr.sbin.sshd (revision 62) @@ -69,7 +69,7 @@ @{PROC}/[0-9]*/mounts r, - ^AUTHENTICATED { + ^AUTHENTICATED flags=(complain) { #include <abstractions/authentication> #include <abstractions/consoles> #include <abstractions/nameservice> @@ -91,7 +91,7 @@ } - ^EXEC { + ^EXEC flags=(complain) { #include <abstractions/base> @@ -108,7 +108,7 @@ } - ^PRIVSEP { + ^PRIVSEP flags=(complain) { #include <abstractions/base> #include <abstractions/nameservice> @@ -120,7 +120,7 @@ } - ^PRIVSEP_MONITOR { + ^PRIVSEP_MONITOR flags=(complain) { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/nameservice> =================================================================== Now, running logprof shows two problems. The one is that it suggests changes, which it will write, but it will suggest them the next time again: =================================================================== Profile: /usr/sbin/sshd Path: /var/log/wtmp Old Mode: w New Mode: w + owner k Severity: unknown [1 - /var/log/wtmp] [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts Adding /var/log/wtmp w + owner k to profile. Profile: /usr/sbin/sshd Path: /var/run/utmp Old Mode: rw New Mode: rw + owner k Severity: unknown [1 - /var/run/utmp] [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts =================================================================== (I get these suggestions each time I run logprof, even though there are in the profile. This is similar to the other bug I reported, where the network mediation flags are ignored.) But logprof does a change, which is unintended. It removes the complain flag from the subprofiles: =================================================================== --- usr.sbin.sshd (revision 62) +++ usr.sbin.sshd (working copy) @@ -1,4 +1,4 @@ -# Last Modified: Mon Jul 14 14:29:09 2008 +# Last Modified: Mon Jul 14 14:34:41 2008 # $Id: usr.sbin.sshd 697 2007-05-25 03:09:30Z steve-beattie $ # ------------------------------------------------------------------ # @@ -69,7 +69,7 @@ @{PROC}/[0-9]*/mounts r, - ^AUTHENTICATED flags=(complain) { + ^AUTHENTICATED { #include <abstractions/authentication> #include <abstractions/consoles> #include <abstractions/nameservice> @@ -91,7 +91,7 @@ } - ^EXEC flags=(complain) { + ^EXEC { #include <abstractions/base> @@ -108,7 +108,7 @@ } - ^PRIVSEP flags=(complain) { + ^PRIVSEP { #include <abstractions/base> #include <abstractions/nameservice> @@ -120,7 +120,7 @@ } - ^PRIVSEP_MONITOR flags=(complain) { + ^PRIVSEP_MONITOR { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/nameservice> =================================================================== I gave this bug a higher severity because it looks as if it has the potential to lock the admin out. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.