[Bug 1219571] New: profiles: openssl 1.1 requires /etc/ssl/engines3.d/ path access
https://bugzilla.suse.com/show_bug.cgi?id=1219571 Bug ID: 1219571 Summary: profiles: openssl 1.1 requires /etc/ssl/engines3.d/ path access Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: ddiss@suse.com Reporter: ddiss@suse.com QA Contact: qa-bugs@suse.de CC: mrueckert@suse.com, suse-beta@cboltz.de Target Milestone: --- Found By: --- Blocker: --- darix reported the following AVCs following when running nginx alongside openssl 1.1 : type=AVC msg=audit(X): apparmor="DENIED" operation="open" class="file" profile="nginx" name="/etc/ssl/engines3.d/" pid=Y comm="nginx" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(X+1): apparmor="DENIED" operation="open" class="file" profile="nginx" name="/etc/ssl/engdef3.d/" pid=Y comm="nginx" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Presumably we need something like: --- a/profiles/apparmor.d/abstractions/openssl +++ b/profiles/apparmor.d/abstractions/openssl @@ -12,8 +12,8 @@ /etc/ssl/openssl.cnf r, /etc/ssl/openssl-*.cnf r, - /etc/ssl/{engdef,engines}.d/ r, - /etc/ssl/{engdef,engines}.d/*.cnf r, + /etc/ssl/{engdef,engines,engines3}.d/ r, + /etc/ssl/{engdef,engines,engines3}.d/*.cnf r, /usr/share/ssl/openssl.cnf r, # Include additions to the abstraction ...but it'd be good to first know what other paths may be affected before submitting upstream. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219571 https://bugzilla.suse.com/show_bug.cgi?id=1219571#c1 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(mrueckert@suse.co | |m) --- Comment #1 from David Disseldorp <ddiss@suse.com> --- (In reply to David Disseldorp from comment #0) ...
Presumably we need something like:
--- a/profiles/apparmor.d/abstractions/openssl +++ b/profiles/apparmor.d/abstractions/openssl @@ -12,8 +12,8 @@
/etc/ssl/openssl.cnf r, /etc/ssl/openssl-*.cnf r, - /etc/ssl/{engdef,engines}.d/ r, - /etc/ssl/{engdef,engines}.d/*.cnf r, + /etc/ssl/{engdef,engines,engines3}.d/ r, + /etc/ssl/{engdef,engines,engines3}.d/*.cnf r, /usr/share/ssl/openssl.cnf r,
# Include additions to the abstraction
...but it'd be good to first know what other paths may be affected before submitting upstream.
Setting needinfo just to confirm that this. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219571 https://bugzilla.suse.com/show_bug.cgi?id=1219571#c4 --- Comment #4 from David Disseldorp <ddiss@suse.com> --- (In reply to Otto Hollmann from comment #2)
Starting with SLE15-SP6 (ALP and Tumbleweed) we renamed openssl 1.1 directories
/etc/ssl/engdef.d to /etc/ssl/engdef1.1.d /etc/ssl/engines.d to /etc/ssl/engines1.1.d And created symbolic links to openssl-3 direcories /etc/ssl/engdef.d -> /etc/ssl/engdef3.d /etc/ssl/engines.d -> /etc/ssl/engines3.d
So I think we need to add engdef{1.1,3}.d and engines{1.1,3}.d
On TW it's engdef1_1.d and engines1_1.d (note the underscore) so I've submitted it via: https://gitlab.com/apparmor/apparmor/-/merge_requests/1147 Test feedback would be much appreciated. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219571 https://bugzilla.suse.com/show_bug.cgi?id=1219571#c6 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo? --- Comment #6 from David Disseldorp <ddiss@suse.com> --- (In reply to Marcus Rückert from comment #5)
the submitrequest to TW that changes "_" to "." is just being reviewed by me. so the 1_1 is deprecated.
Thanks, I've updated the upstream MR to use a wildcard, following Christian's suggestion. I'll submit for Factory once acked upstream. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219571 https://bugzilla.suse.com/show_bug.cgi?id=1219571#c8 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(suse-beta@cboltz. | |de) | --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> --- Sorry for the delay. For the records: changes to the AppArmor package submitted during the last days of the carnival season can take a bit longer ;-) As someone wrote on the german mailinglist years ago: Naja, wer in der bekannten närrischen Zeit an jemanden in einer der Karnevalsgegenden mailt, muß damit rechnen, daß seine Mail kaum vor Freitag beantwortet wird. Vorher sind die Leute da kaum wieder nüchtern und ansprechbar. ;)) [Martin Falley in suse-linux] SR 1147189 sent to Factory. For 15.6, SR 1144722 is still open, therefore I'll let you do the submission once it gets accepted in IBS (or now, obsoleting that SR - whatever you prefer). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219571 https://bugzilla.suse.com/show_bug.cgi?id=1219571#c9 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dimstar@opensuse.org --- Comment #9 from Christian Boltz <suse-beta@cboltz.de> --- *** Bug 1219401 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219571 https://bugzilla.suse.com/show_bug.cgi?id=1219571#c10 --- Comment #10 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1219571) was mentioned in https://build.opensuse.org/request/show/1147189 Factory / apparmor -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com