[Bug 546618] New: logprof/genprof don't work - changed audit.log format - openSUSE Bugs

newer
[Bug 668311] New: AppArmor profile...

[Bug 546618] New: logprof/genprof don't work - changed audit.log format

bugzilla_noreply＠novell.com

13 Oct 2009 13 Oct '09

19:29

http://bugzilla.novell.com/show_bug.cgi?id=546618 Summary: logprof/genprof don't work - changed audit.log format Classification: openSUSE Product: openSUSE 11.2 Version: Milestone 8 Platform: Other OS/Version: All Status: NEW Severity: Critical Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de Found By: Beta-Customer (using 11.2 M8 + packages from http://ftp.suse.com/pub/people/jeffm/suse/testpkgs/540525) logprof and genprof don't add anything to the profile - for me their behaviour looks as if they would read /dev/null instead of /var/log/audit/audit.log :-( # LANG=C aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. # (end) I _have_ several lines in audit.log that should cause logprof to ask what to do with these events. The same happens with genprof - it just creates a very small default profile, but does not ask about any of the entries in audit.log. I doubt logprof and genprof really read from /dev/null, so there must be something else. I just compared the audit.log from 11.1 and 11.2. Here are example lines for each: 11.1 type=APPARMOR_AUDIT msg=audit(1255458551.064:476442): operation="file_permission" requested_mask="::w" fsuid=30 name="/home/www/some.host/some.file" pid=2484 parent=20025 profile="/usr/sbin/httpd2-prefork//HANDLING_UNTRUSTED_INPUT" 11.2 type=APPARMOR_ALLOWED msg=audit(1255457955.497:218): operation="file_perm" pid=11537 parent=11536 profile="/home/sys-tmp/test//null-2d" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/sys-tmp/test2" -> the log format has changed! - different order (pid and parent are now after operation, requested_mask and denied_mask are now after profile, ouid added, ...) - different keywords for operation (file_permissions vs. file_perm, new(?) keyword "open", ...) - the //null-2d hat in the 11.2 log line looks also new to me - maybe other changes Please update logprof and genprof to understand the new log format. BTW: To verify this, I copied a audit.log from 11.1 to my 11.2 system - logprof started to ask the usual questions when given this log. So the bug here is really caused by the log format change. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

13 Oct 13 Oct

20:19

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

http://bugzilla.novell.com/show_bug.cgi?id=546618 User jeffm@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=546618#c1 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |suse-beta@cboltz.de --- Comment #1 from Jeff Mahoney 2009-10-13 14:19:19 MDT --- Ok, new test packages for you. These include the fix from bnc#540525, though I suppose that's obvious since there wouldn't be a lot of testing to do with a genprof that crashed again. ;) http://ftp.suse.com/pub/people/jeffm/suse/testpkgs/546618 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14 Oct 14 Oct

20:32

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

http://bugzilla.novell.com/show_bug.cgi?id=546618 User suse-beta@cboltz.de added comment http://bugzilla.novell.com/show_bug.cgi?id=546618#c2 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|suse-beta@cboltz.de | --- Comment #2 from Christian Boltz 2009-10-14 22:32:44 CEST --- Thanks for the test packages. They fix at least read and write permissions, but execute permissions are still not seen by genprof and logprof. I'm generating a profile for this testscript: #!/bin/bash echo "Hello World!" > /tmp/hello.txt cat /tmp/hello.txt rm /tmp/hello.txt This is the resulting profile after a genprof run: (Note: I have a symlink /tmp -> /home/sys-tmp) #include /home/cb/linuxtag/scripts/hello { #include #include /bin/bash ix, owner /home/cb/linuxtag/scripts/hello r, owner /home/sys-tmp/hello.txt w, ^null-3d { #include owner /home/sys-tmp/hello.txt r, } ^null-3f { #include } } Issues with this profile: - no execute permissions for rm and cat - the null-* hats are strange and get different names with each run of the script. This means the audit.log is spammed and logprof will ask to create lots of hats (two per script run). It probably also means that the script will get a "permission denied" because of a missing ^null-$RANDOM hat - however I can't test this because of the missing execute permissions for cat and rm - no permissions for /dev/tty and /dev/pts/* (aka abstractions/consoles) This is how the profile should like (hand-written, doesn't cause any audit.log entries): #include /home/cb/linuxtag/scripts/hello { #include #include #include # added /bin/bash ix, /bin/cat ix, # added /bin/rm ix, # added owner /home/cb/linuxtag/scripts/hello r, owner /home/sys-tmp/hello.txt rw, # merged with permissions from hats # all null-* hats removed } To speedup testing, please consider to test genprof with my little testscript until you get a profile which doesn't cause audit.log entries anymore. Of course I'm willing to do more tests if needed, but I guess that testing with my script is faster than uploading test packages ;-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

24 Oct 24 Oct

00:35

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

http://bugzilla.novell.com/show_bug.cgi?id=546618 User suse-beta@cboltz.de added comment http://bugzilla.novell.com/show_bug.cgi?id=546618#c3 --- Comment #3 from Christian Boltz 2009-10-24 02:35:30 CEST --- *ping* Jeff, any news on the apparmor tools? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

00:38

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

http://bugzilla.novell.com/show_bug.cgi?id=546618 User jeffm@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=546618#c4 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Status|NEW |ASSIGNED --- Comment #4 from Jeff Mahoney 2009-10-23 18:38:28 MDT --- No, not yet. I thought I updated this report, but I must've closed my browser without saving. I'm able to reproduce the problem - with loads of those null subprofiles, but I haven't had time to track it down yet. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

30 Oct 30 Oct

09:59

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

http://bugzilla.novell.com/show_bug.cgi?id=546618 User swamp@suse.com added comment http://bugzilla.novell.com/show_bug.cgi?id=546618#c5 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:released:11.2:28194 --- Comment #5 from Swamp Workflow Management 2009-10-30 03:59:18 MDT --- Update released for: libapparmor1 Products: openSUSE 11.2 (debug, i586, x86_64) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

19 Nov 19 Nov

22:04

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

http://bugzilla.novell.com/show_bug.cgi?id=546618 http://bugzilla.novell.com/show_bug.cgi?id=546618#c6 --- Comment #6 from Christian Boltz 2009-11-19 23:04:17 CET --- Jeff, any news on the apparmor tools? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

22:28

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

http://bugzilla.novell.com/show_bug.cgi?id=546618 http://bugzilla.novell.com/show_bug.cgi?id=546618#c7 --- Comment #7 from Jeff Mahoney 2009-11-19 22:28:28 UTC --- Sorry, no. I'm pretty far behind on bug triage and kernel bugs. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16 Jan 16 Jan

03:04

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

http://bugzilla.novell.com/show_bug.cgi?id=546618 http://bugzilla.novell.com/show_bug.cgi?id=546618#c8 --- Comment #8 from Stephan Kleine 2010-01-16 03:04:09 UTC --- Bump :D Sorry to pester you Jeff, but is there anything new regarding that subject? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

19 Dec 19 Dec

14:00

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c9 Andreas Schneider changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |asn@cynapses.org Component|AppArmor |AppArmor Version|Milestone 8 |Factory Product|openSUSE 11.2 |openSUSE 11.4 --- Comment #9 from Andreas Schneider 2010-12-19 14:00:47 UTC --- This is still valid for 11.3 and 11.4. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

17:44

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c10 --- Comment #10 from Jeff Mahoney 2010-12-19 17:44:30 UTC --- I expect this to be fixed for 11.4 with the AppArmor 2.5 update. I'm still working out all the kinks on getting it to build from one package, as it needs libtool to link internally and Perl MakeMaker can be a pain to combine with it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

23:45

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c11 --- Comment #11 from Christian Boltz 2010-12-20 00:45:20 CET --- (In reply to comment #10)

...

I expect this to be fixed for 11.4 with the AppArmor 2.5 update.

Good to hear this :-) BTW: The GPG key of the security:apparmor:factory repo is expired. You should be able to extend it with osc signkey --extend -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

23 Dec 23 Dec

00:02

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c12 --- Comment #12 from Christian Boltz 2010-12-23 01:02:07 CET --- Just FYI: I upgraded to the 2.5.1 packages [1] on my 11.3 system, and run genprof for the test script in comment #2. Good news: the resulting profile looks exactly as it should and it even works :-) I'm looking forward to have 2.5.1 in Factory, and I'd propose to release the new version as online update for 11.2 and 11.3. (Yes, I know version updates shouldn't happen via online update, but I think this one would be worth an exception.) [1] I updated only some apparmor packages for now. updated to 2.5: apparmor-utils, apparmor-parser, perl-apparmor, libapparmor1 still on 2.3: pam_apparmor, apparmor-profiles, pam_apparmor-32bit, libapparmor1-32bit, apparmor-docs -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

6 Jan 6 Jan

19:58

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c13 --- Comment #13 from Jeff Mahoney 2011-01-06 19:58:57 UTC --- Ok, this is essentially fixed for factory -- but is still awaiting the package checkin. I'll revisit once that's done. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

24 Jan 24 Jan

14:41

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c14 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #14 from Jeff Mahoney 2011-01-24 14:41:26 UTC --- The package has been checked in and one more issue with logprof/genprof has been addressed. Closing as FIXED. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

31 Jan 31 Jan

12:05

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c15 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED --- Comment #15 from Christian Boltz 2011-01-31 13:05:08 CET --- Verified, thanks for working on the AppArmor update! FYI: I opened bug 668311 to request a maintenance update for 11.3 (and maybe also 11.2, not sure if it has the same problem). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

8 Apr 8 Apr

13:41

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c16 --- Comment #16 from Dirk Mueller 2011-04-08 15:41:52 CEST --- *** Bug 685833 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=685833 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

28 Apr 28 Apr

11:47

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c17 --- Comment #17 from Bernhard Wiedemann 2011-04-28 13:47:56 CEST --- This is an autogenerated message for OBS integration: This bug (546618) was mentioned in https://build.opensuse.org/request/show/66428 https://build.opensuse.org/request/show/66453 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10 May 10 May

21:28

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c18 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.2:28194 |maint:released:11.2:28194 | |maint:released:11.2:40137 --- Comment #18 from Swamp Workflow Management 2011-05-10 21:28:48 UTC --- Update released for: apparmor-utils Products: openSUSE 11.2 (i586) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16 May 16 May

19:00

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c19 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.2:28194 |maint:released:11.2:28194 |maint:released:11.2:40137 |maint:released:11.2:40137 | |maint:released:11.3:40158 --- Comment #19 from Swamp Workflow Management 2011-05-16 19:00:28 UTC --- Update released for: apparmor-utils Products: openSUSE 11.3 (i586) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

25 May 25 May

16:14

New subject: [Bug 546618] logprof/genprof don't work - changed audit.log format

https://bugzilla.novell.com/show_bug.cgi?id=546618 https://bugzilla.novell.com/show_bug.cgi?id=546618#c20 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:released:11.2:28194 |maint:released:11.2:28194 |maint:released:11.2:40137 |maint:released:11.2:40137 |maint:released:11.3:40158 |maint:released:11.3:40158 | |maint:released:sle11-sp1:40 | |948 --- Comment #20 from Swamp Workflow Management 2011-05-25 16:14:13 UTC --- Update released for: apparmor-parser, apparmor-parser-debuginfo, apparmor-parser-debugsource, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, libapparmor1-32bit, libapparmor1-debuginfo, libapparmor1-debuginfo-32bit, libapparmor1-debuginfo-x86, libapparmor1-debugsource, libapparmor1-x86, perl-libapparmor Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

4777

Age (days ago)

5366

Last active (days ago)

List overview

Download

20 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 546618] New: logprof/genprof don't work - changed audit.log format

tags

participants (1)