[opensuse-factory] Issues observed during installation of latest Leap
a) YaST complained about some unresolved dependencies, bug#948721] Cannot solve dependencies automatically. Manual intervention is required. nothing provides libQt5Gui5 = 5.4.2 needed by kwin5-5.4.1-1.2.x86_64 nothing provides libQt5Gui5 = 5.4.2 needed by frameworkintegration-plugin-5.14.0-1.1.x86_64 b) with the nouveau driver, the GUI didn't work. At all. I installed an elderly nvidia driver from source instead. c) syslog-ng apparmor profile Non-existent? d) vim-data not installed by default -- Per Jessen, Zürich (16.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Sonntag, 4. Oktober 2015 schrieb Per Jessen:
c) syslog-ng apparmor profile
Non-existent?
/etc/apparmor.d/sbin.syslog-ng is in the apparmor-profiles package. Is this package installed? Regards, Christian Boltz -- with people like you for sure we would have been still living in a cave looking for fruits in forests... Fruits are very tasty, why the hell should we spend time hunting and cooking... [Alin M Elena in opensuse-factory] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Christian Boltz wrote:
Hello,
Am Sonntag, 4. Oktober 2015 schrieb Per Jessen:
c) syslog-ng apparmor profile
Non-existent?
/etc/apparmor.d/sbin.syslog-ng is in the apparmor-profiles package. Is this package installed?
Hi Christian, Yes, it is installed: # zypper se apparmor-profiles Retrieving repository 'openSUSE-Leap-42.1-Update-Non-Oss' metadata .....[error] Repository 'openSUSE-Leap-42.1-Update-Non-Oss' is invalid. Loading repository data... Reading installed packages... S | Name | Summary | Type --+-------------------+-------------------------------------------------------------------+-------- i | apparmor-profiles | AppArmor profiles that are loaded into the apparmor kernel module | package /sbin/syslog-ng is a symlink to /usr/sbin/syslog-ng. To get syslog-ng to run, I went through starting it, then running aa-genprof etc. It seemed the profile was non-existent. When I run "/usr/sbin/syslog-ng -F" from the command line, it doesn't pick up the sbin.syslog profile, does it? -- Per Jessen, Zürich (11.4°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Montag, 5. Oktober 2015 schrieb Per Jessen:
Christian Boltz wrote:
Am Sonntag, 4. Oktober 2015 schrieb Per Jessen:
c) syslog-ng apparmor profile
Non-existent?
/etc/apparmor.d/sbin.syslog-ng is in the apparmor-profiles package. Is this package installed?
Yes, it is installed:
/sbin/syslog-ng is a symlink to /usr/sbin/syslog-ng.
To get syslog-ng to run, I went through starting it, then running aa-genprof etc. It seemed the profile was non-existent. When I run "/usr/sbin/syslog-ng -F" from the command line, it doesn't pick up the sbin.syslog profile, does it?
The filenames in /etc/apparmor.d/ don't really matter - you could name a profile file /etc/apparmor.d/whatever-i-want and AppArmor would still only look at the content ;-) [1] In the case of syslog-ng, the profile starts with profile syslog-ng /{usr/,}sbin/syslog-ng { which means the profile applies to both /sbin/syslog-ng and /usr/sbin/syslog-ng. The "profile syslog-ng" part sets the profile name which basically makes sure that it will appear with just "syslog-ng" in the audit.log - but even if it would just be /{usr/,}sbin/syslog-ng { it would still apply to /sbin/syslog-ng and /usr/sbin/syslog-ng. To answer the aa-genprof part - aa-genprof isn't smart enough to check/find profiles that attach to multiple binaries (like {..,..} alternations or wildcards) [2], so it didn't notice that /{usr/,}sbin/syslog-ng is already there. Therefore aa-genprof created a /usr/sbin/syslog-ng profile for you. At least this explains why aa-genprof asked you for things that were already allowed in the "official" profile - I already wondered what is going on when reading your bugreport (#948753). Note that you now have two more or less conflicting profiles loaded. I'd guess that your /usr/sbin/syslog-ng profile is used because it's an exact match, but that's probably not what you want. Therefore I'd recommend to delete "your" profile, run "rcapparmor reload" and then restart syslog-ng so that it uses the "official" profile. Regards, Christian Boltz [1] there are exceptions - for example, *.rpmnew files are ignored for obvious reasons [2] I know there is room for improvement, but unfortunately my days only have 24 hours ;-) -- 240 TB also... das wären dann die Konfigurationsdateien. Und die ganzen "Nutzdaten"? MP3's? jpg's? Wo haben die Platz? [Andreas Feile in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Christian Boltz wrote:
The filenames in /etc/apparmor.d/ don't really matter - you could name a profile file /etc/apparmor.d/whatever-i-want and AppArmor would still only look at the content ;-) [1]
Ah, thanks for explaining that.
Note that you now have two more or less conflicting profiles loaded. I'd guess that your /usr/sbin/syslog-ng profile is used because it's an exact match, but that's probably not what you want. Therefore I'd recommend to delete "your" profile, run "rcapparmor reload" and then restart syslog-ng so that it uses the "official" profile.
Okay, done that - the first thing that happens is: # /usr/sbin/syslog-ng -F Auto configuration failed 139750905030416:error:0200100D:system library:fopen:Permission denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb') 139750905030416:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:178: 139750905030416:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199: I then added "#include <abstractions/openssl>" and attempted another reload - this caused the machine to crash and restart :-( I think this is reproduceable, I've seen it before. When syslog-ng tries to start during the reboot, apparmor denies access to /etc/syslog-ng/conf.d/. I added a '*' to the profile, and then it worked. -- Per Jessen, Zürich (13.4°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10/07/2015 08:42 AM, Per Jessen wrote:
Christian Boltz wrote:
The filenames in /etc/apparmor.d/ don't really matter - you could name a profile file /etc/apparmor.d/whatever-i-want and AppArmor would still only look at the content ;-) [1] Ah, thanks for explaining that.
Note that you now have two more or less conflicting profiles loaded. I'd guess that your /usr/sbin/syslog-ng profile is used because it's an exact match, but that's probably not what you want. Therefore I'd recommend to delete "your" profile, run "rcapparmor reload" and then restart syslog-ng so that it uses the "official" profile. Okay, done that - the first thing that happens is:
# /usr/sbin/syslog-ng -F Auto configuration failed 139750905030416:error:0200100D:system library:fopen:Permission denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb') 139750905030416:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:178: 139750905030416:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
I then added "#include <abstractions/openssl>" and attempted another reload - this caused the machine to crash and restart :-( I think this is reproduceable, I've seen it before.
When syslog-ng tries to start during the reboot, apparmor denies access to /etc/syslog-ng/conf.d/. I added a '*' to the profile, and then it worked.
Hi syslog-ng seems to work fine using the fixes for the AppArmmor profile provided in https://bugzilla.opensuse.org/show_bug.cgi?id=948584 Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Mittwoch, 7. Oktober 2015 schrieb Per Jessen:
Christian Boltz wrote:
Note that you now have two more or less conflicting profiles loaded. I'd guess that your /usr/sbin/syslog-ng profile is used because it's an exact match, but that's probably not what you want. Therefore I'd recommend to delete "your" profile, run "rcapparmor reload" and then restart syslog-ng so that it uses the "official" profile.
Okay, done that - the first thing that happens is:
# /usr/sbin/syslog-ng -F Auto configuration failed 139750905030416:error:0200100D:system library:fopen:Permission denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb')
The syslog-ng profile needs some additions, see https://bugzilla.opensuse.org/show_bug.cgi?id=948584#c4 I'll submit an updated package tonight.
I then added "#include <abstractions/openssl>" and attempted another reload - this caused the machine to crash and restart :-( I think this is reproduceable, I've seen it before.
Sounds like https://bugzilla.opensuse.org/show_bug.cgi?id=941867 If you manage to get a screenshot or photo the oops, please compare it with https://bugzilla.opensuse.org/attachment.cgi?id=649721 - if the error message differs, please attach it to the bugreport. Regards, Christian Boltz -- Ich glaube aber nicht, dass der DDR Ram hat. Er hat seinen Rechner doch erst vor einem Jahr gekauft! Die werden Ihm da doch nicht uralt-Speicherbausteine hereingesteckt haben. Maximal kann er also "Ex-DDR"-Speicher haben (Sprich Infineon, denn die Produzieren ja auch in Dresden ...). [Konrad Neitzel in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Christian Boltz wrote:
I then added "#include <abstractions/openssl>" and attempted another reload - this caused the machine to crash and restart :-( I think this is reproduceable, I've seen it before.
Sounds like https://bugzilla.opensuse.org/show_bug.cgi?id=941867 If you manage to get a screenshot or photo the oops, please compare it with https://bugzilla.opensuse.org/attachment.cgi?id=649721 - if the error message differs, please attach it to the bugreport.
I'll see what I can do, so far I've only been logged on via ssh. -- Per Jessen, Zürich (10.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Christian Boltz -
Per Jessen -
Peter Czanik