[Bug 1210217] New: aa-logprof doesn't see a DENIED in dnsmasq service.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210217 Bug ID: 1210217 Summary: aa-logprof doesn't see a DENIED in dnsmasq service. Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: carlos.e.r@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I configured this line in /etc/dnsmasq.conf: resolv-file=/run/NetworkManager/no-stub-resolv.conf and restarted the service, which complained: Apr 06 12:40:22 Laicolasse.valinor dnsmasq[20083]: failed to read /run/NetworkManager/no-stub-resolv.conf: Permission denied However, aa-logprof said nothing: Laicolasse:~ # aa-logprof Updating AppArmor profiles in /etc/apparmor.d. Reading log entries from /var/log/audit/audit.log. Enforce-mode changes: Laicolasse:~ # Yet, the event was there: type=AVC msg=audit(1680777622.544:321): apparmor="DENIED" operation="open" class="file" profile="dnsmasq" name="/run/NetworkManager/no-stub-resolv.conf" pid=20083 c omm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=480 ouid=0 I got the service working after adding line to /etc/apparmor.d/local/usr.sbin.dnsmasq: /run/NetworkManager/no-stub-resolv.conf r, and "systemctl restart apparmor.service". Machine is freshly installed laptop with 15.4 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210217 http://bugzilla.opensuse.org/show_bug.cgi?id=1210217#c1 --- Comment #1 from Christian Boltz <suse-beta@cboltz.de> --- I wonder about the class="file" part of the log message - that's quite new on the kernel side, and probably not supported by the libapparmor version in 15.4. Do you use the kernel that comes with 15.4 (including update repos), or did you install a newer kernel from an additional repo? (As a sidenote, the rule you added looks correct.) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210217 http://bugzilla.opensuse.org/show_bug.cgi?id=1210217#c2 --- Comment #2 from Carlos Robinson <carlos.e.r@opensuse.org> --- Ah! Indeed, yes, I am running 6.2.8-lp154.3.gc9a94ac-default, and some times a patched 15.5 kernel in this laptop. Without it, WiFi doesn't work (Bug 1209980). Sigh, everything is connected :-( -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210217 http://bugzilla.opensuse.org/show_bug.cgi?id=1210217#c3 --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> --- Well, at least now we know what's going on ;-) There are two possible workarounds: - install the latest packages from the security:apparmor repo - or - - convert the log to the old format on the fly: aa-logprof -f <(sed 's/class="[a-z]*" //' < /var/log/audit/audit.log) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210217 http://bugzilla.opensuse.org/show_bug.cgi?id=1210217#c4 --- Comment #4 from Carlos Robinson <carlos.e.r@opensuse.org> --- Thanks. The second option seems the least intrusive. Also, I intend to "downgrade" the kernel from "Kernel:stable:Backports" to the 15.5 patched kernel that Takashi Iwai provided; I know it works with WiFi, and it probably also works with hibernation. If that is so, it should be the least problematic route. I have a brand new laptop (lenovo L14 Gen 3 AMD), and I use the "ancient" Leap 15.4... it is bound to cause problems. I suppose we can close this Bugzilla. Thanks a lot for the quick response. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210217 http://bugzilla.opensuse.org/show_bug.cgi?id=1210217#c5 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #5 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Carlos Robinson from comment #4)
The second option seems the least intrusive.
Right.
I suppose we can close this Bugzilla. Thanks a lot for the quick response.
OK, I'll close it as "worksforme" - not the perfect option, but the others look worse ;-) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com