[Bug 848037] New: Apparmor profile for check_cups does not work on SLES 11 SP3
https://bugzilla.novell.com/show_bug.cgi?id=848037 https://bugzilla.novell.com/show_bug.cgi?id=848037#c0 Summary: Apparmor profile for check_cups does not work on SLES 11 SP3 Classification: openSUSE Product: openSUSE 13.1 Version: RC 1 Platform: All OS/Version: SLES 11 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: mcaj@suse.com ReportedBy: lrupp@suse.com QAContact: qa-bugs@suse.de Found By: Development Blocker: ---
From /var/log/audit/audit.log on a SLES 11 SP3 machine:
type=AVC msg=audit(1382702360.196:477): apparmor="DENIED" operation="exec" parent=12615 profile="/usr/lib/nagios/plugins/check_cups" name="/bin/gawk" pid=12617 comm="check_cups" requested_mask="x" denied_mask="x" fsuid=108 ouid=0 The profile in /etc/appamor.d/ expects awk in /usr/bin/awk - which is true for younger openSUSE, but not for old SLES. Note: This might also be the case for other binaries listed in the profile. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=848037 https://bugzilla.novell.com/show_bug.cgi?id=848037#c1 Martin Caj <mcaj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lrupp@suse.com --- Comment #1 from Martin Caj <mcaj@suse.com> 2013-10-30 11:31:23 UTC --- Hi Lars, I check it and : The current version 1.4.16-94.1 from obs://build.opensuse.org/server:monitoring has a different profile then older versions. Now we don't have the awk in the profile any more. I checked it on a SLES 11 SP3 machine and openSUSE 13.1 RC1 and I was not able to reproduce it. Can you please check that the message from /var/log/audit/audit.log is still happening in the last version ? Thank you. Martin -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=848037 https://bugzilla.novell.com/show_bug.cgi?id=848037#c2 Martin Caj <mcaj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lrupp@suse.com | --- Comment #2 from Martin Caj <mcaj@suse.com> 2013-10-30 13:00:55 UTC --- I'm sorry. wait ... there is still awk on one line ..... I'm working on the fix now ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=848037 https://bugzilla.novell.com/show_bug.cgi?id=848037#c3 Martin Caj <mcaj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lrupp@suse.com --- Comment #3 from Martin Caj <mcaj@suse.com> 2013-10-30 14:46:44 UTC --- Hi Lars, it should be fix in the version 1.4.16-96.1 from NON_Public:infrastructure Can you try it ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=848037 https://bugzilla.novell.com/show_bug.cgi?id=848037#c4 Lars Vogdt <lrupp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |lrupp@suse.com InfoProvider|lrupp@suse.com | --- Comment #4 from Lars Vogdt <lrupp@suse.com> 2013-10-30 16:24:30 CET --- (In reply to comment #3)
Can you try it ?
Just try it on your own: it's "your" host nagios.suse.cz who is running into the problem.... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=848037 https://bugzilla.novell.com/show_bug.cgi?id=848037#c5 Martin Caj <mcaj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lrupp@suse.com --- Comment #5 from Martin Caj <mcaj@suse.com> 2013-11-04 15:21:10 UTC --- Hi Lars. I fixed it last Friday and tested in on "ours" nagios.suse.cz. The fix is in version 1.4.16-97.2 from NON_Public:infrastructure. There is no awk any more and apparmor profile works me fine. I tried several scenarios with jobs is queue or stopped printers... all fine, no more warring in audit.log file. Should I push it into OBS as well ? Martin -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=848037 https://bugzilla.novell.com/show_bug.cgi?id=848037#c7 Martin Caj <mcaj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |mcaj@suse.com Resolution| |FIXED --- Comment #7 from Martin Caj <mcaj@suse.com> 2014-01-03 10:40:00 UTC --- done on server:monitoring directly as revision 152. Martin -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com