[Bug 678749] New: apparmor too strict for dnsmasq - /var/run/dnsmasq-forwarders.conf forbidden
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c0 Summary: apparmor too strict for dnsmasq - /var/run/dnsmasq-forwarders.conf forbidden Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: jnelson-suse@jamponi.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b12) Gecko/20110222 Firefox/4.0b12 apparmor's config is too strict for dnsmasq - /var/run/dnsmasq-forwarders.conf is forbidden and it uses by some scenarios of netupdate (the one I am using, for example). Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c1 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |jnelson-suse@jamponi.net --- Comment #1 from Jeff Mahoney <jeffm@novell.com> 2011-03-14 17:38:12 UTC --- Can you attach your /var/log/audit/audit.log? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c2 Jon Nelson <jnelson-suse@jamponi.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|jnelson-suse@jamponi.net | --- Comment #2 from Jon Nelson <jnelson-suse@jamponi.net> 2011-03-14 17:42:57 UTC --- The file is large. Will this snippet do? Also /etc/ethers needs to be allowed (for read). type=DAEMON_START msg=audit(1299800547.760:7533): auditd start, ver=2.0.5 format=raw kernel=2.6.37.1-1.2-default auid=4294967295 pid=3648 subj=unconfined res=success type=AVC msg=audit(1299800547.988:26): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/dnsmasq" name="/var/run/dnsmasq-forwarders.conf" pid=3667 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=107 ouid=0 type=AVC msg=audit(1299800547.988:27): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/dnsmasq" name="/etc/ethers" pid=3667 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=107 ouid=0 type=AVC msg=audit(1299800553.336:28): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/dnsmasq" name="/var/run/dnsmasq-forwarders.conf" pid=3667 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=107 ouid=0 type=AVC msg=audit(1299800555.400:29): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/dnsmasq" name="/var/run/dnsmasq-forwarders.conf" pid=3667 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=107 ouid=0 type=AVC msg=audit(1299800557.448:30): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/dnsmasq" name="/var/run/dnsmasq-forwarders.conf" pid=3667 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=107 ouid=0 type=AVC msg=audit(1299800559.516:31): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/dnsmasq" name="/var/run/dnsmasq-forwarders.conf" pid=3667 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=107 ouid=0 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c3 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |jnelson-suse@jamponi.net --- Comment #3 from Jeff Mahoney <jeffm@novell.com> 2011-03-14 17:48:58 UTC --- Yep. I just wanted to make sure it only needed read access. Does adding: ------>8------ /var/run/dnsmasq-forwarders.conf r, /etc/ethers r, ------<8------ above the final } fix it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c4 Jon Nelson <jnelson-suse@jamponi.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|jnelson-suse@jamponi.net | --- Comment #4 from Jon Nelson <jnelson-suse@jamponi.net> 2011-03-14 17:50:29 UTC --- yes. Except I put "/etc/ethers r," next to the other files in /etc, and ditto /var/run/dnsmasq-forwarders.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c5 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #5 from Jeff Mahoney <jeffm@novell.com> 2011-03-14 18:06:25 UTC --- Ok, I've added those to the 11.4 and Factory packages. There are several other AppArmor issues I want to fix before issuing a SR. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c6 --- Comment #6 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-04-28 13:55:34 CEST --- This is an autogenerated message for OBS integration: This bug (678749) was mentioned in https://build.opensuse.org/request/show/66464 https://build.opensuse.org/request/show/66522 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c7 --- Comment #7 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-06-23 21:00:34 CEST --- This is an autogenerated message for OBS integration: This bug (678749) was mentioned in https://build.opensuse.org/request/show/74415 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c8 --- Comment #8 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-06-24 17:00:29 CEST --- This is an autogenerated message for OBS integration: This bug (678749) was mentioned in https://build.opensuse.org/request/show/74457 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c9 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:41833:low --- Comment #9 from Swamp Workflow Management <swamp@suse.com> 2011-06-25 19:57:59 UTC --- The SWAMPID for this issue is 41833. This issue was rated as low. Please submit fixed packages until 2011-07-25. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/41833 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c10 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:running:41833:low | |maint:released:11.4:41905 --- Comment #10 from Swamp Workflow Management <swamp@suse.de> 2011-07-07 13:17:23 UTC --- Update released for: apache2-mod_apparmor, apparmor-docs, apparmor-parser, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, pam_apparmor, perl-apparmor, tomcat_apparmor Products: openSUSE 11.4 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:released:11.4:41905 |maint:released:11.4:41905 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c11 Jon Nelson <jnelson-suse@jamponi.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #11 from Jon Nelson <jnelson-suse@jamponi.net> 2011-09-02 19:33:28 UTC --- This is not fixed. The updated profile has: /var/run/dnsmasq-forwarders r, NOT: /var/run/dnsmasq-forwarders.conf r, It's the latter that is actually used. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c12 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de AssignedTo|jeffm@suse.com |suse-beta@cboltz.de --- Comment #12 from Christian Boltz <suse-beta@cboltz.de> 2011-09-13 21:49:25 CEST --- Good catch! I just submitted a patch upstream to get this fixed in AppArmor 2.7 beta2. I'll update the Factory package when it's released. Do you think this is worth another update for 11.4? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c13 --- Comment #13 from Jon Nelson <jnelson-suse@jamponi.net> 2011-09-14 01:55:48 UTC --- I'd like to see it fixed, but I don't feel strongly about it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c14 --- Comment #14 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-16 19:00:09 CEST --- This is an autogenerated message for OBS integration: This bug (678749) was mentioned in https://build.opensuse.org/request/show/82501 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=678749 https://bugzilla.novell.com/show_bug.cgi?id=678749#c15 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #15 from Christian Boltz <suse-beta@cboltz.de> 2012-01-05 19:06:21 CET --- (In reply to comment #13)
I'd like to see it fixed, but I don't feel strongly about it.
OK, then I won't do an update for 11.4 for now ;-) 12.1 and Factory are fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com