[opensuse-factory] AppArmor 2.7 in factory - please test!
Hello, AppArmor 2.7 (beta1) is in Factory since some hours. Short version: please test it and report any problems you notice. Long version: I'm quite new in maintaining the AppArmor package (I became maintainer last saturday ;-) Additionally, I dropped a 380k patch that changed the whole upstream buildsystem to use automake [1]. In other words: the whole build process of the AppArmor package is totally new, and it might be that this introduced some regression I didn't notice yet. A known "regression" is that the tomcat_apparmor package is no longer built - it is unmaintained upstream since quite some time and failed to build. If anyone needs this, please step up and help maintaining it ;-) Please test if the AppArmor 2.7 beta1 package works as expected on your system - if not, please reply to this mail or open a bugreport. (Success reports are also welcome, of course.) If you don't have a Factory installation available, you can also download packages for 11.3 and 11.4 from security:apparmor:factory. In theory, they should work on those systems without changing the kernel side, but I can't promise that ;-) (they seem to work on my 11.4 system) Finally: thanks to everybody who helped me to get the AppArmor package updated by personal support on the conference and online support on IRC. Regards, Christian Boltz [1] I don't really know automake and upstream isn't too interested in this patch[2], therefore I decided to drop it. (The patch is still included in the sources in OBS, but disabled - just in case someone wants to update it and push it upstream.) [2] it only applies to 2.6.1, not to 2.7 - and it looks like nobody wants to update such a big patch, so it's understandable -- ``Hello, my userid is root and if you feed me caffeine, nobody gets hurt.'' -- AdB -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wednesday, September 14, 2011 02:46:38 PM Christian Boltz wrote:
Hello,
AppArmor 2.7 (beta1) is in Factory since some hours.
Short version: please test it and report any problems you notice.
Long version:
I'm quite new in maintaining the AppArmor package (I became maintainer last saturday ;-) Additionally, I dropped a 380k patch that changed the whole upstream buildsystem to use automake [1].
In other words: the whole build process of the AppArmor package is totally new, and it might be that this introduced some regression I didn't notice yet.
A known "regression" is that the tomcat_apparmor package is no longer built - it is unmaintained upstream since quite some time and failed to build. If anyone needs this, please step up and help maintaining it ;-)
Please test if the AppArmor 2.7 beta1 package works as expected on your system - if not, please reply to this mail or open a bugreport. (Success reports are also welcome, of course.)
If you don't have a Factory installation available, you can also download packages for 11.3 and 11.4 from security:apparmor:factory. In theory, they should work on those systems without changing the kernel side, but I can't promise that ;-) (they seem to work on my 11.4 system)
Finally: thanks to everybody who helped me to get the AppArmor package updated by personal support on the conference and online support on IRC.
Regards,
Christian Boltz
[1] I don't really know automake and upstream isn't too interested in this patch[2], therefore I decided to drop it. (The patch is still included in the sources in OBS, but disabled - just in case someone wants to update it and push it upstream.)
[2] it only applies to 2.6.1, not to 2.7 - and it looks like nobody wants to update such a big patch, so it's understandable May I add, to test the AppArmor notifier with it? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 09/14/2011 11:46 PM, Christian Boltz wrote:
Hello,
AppArmor 2.7 (beta1) is in Factory since some hours.
Short version: please test it and report any problems you notice. The first problem I noticed, that it does not seem to be in the default selection any more. I did not enable capabilities support in the syslog-ng package, as it was enforced by AppArmor anyway. But I have to reconsider it, if AppArmor is not installed by default... I'm doing a fresh factory installation right now and let you know any syslog-ng related problems, if I find. Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 09/15/2011 09:25 AM, Peter Czanik wrote:
On 09/14/2011 11:46 PM, Christian Boltz wrote:
Hello,
AppArmor 2.7 (beta1) is in Factory since some hours.
Short version: please test it and report any problems you notice. The first problem I noticed, that it does not seem to be in the default selection any more. I did not enable capabilities support in the syslog-ng package, as it was enforced by AppArmor anyway. But I have to reconsider it, if AppArmor is not installed by default... I'm doing a fresh factory installation right now and let you know any syslog-ng related problems, if I find.
Here it is: linux-fsru:~ # dmesg | grep syslog-ng [ 5.836280] type=1400 audit(1316065085.053:4): apparmor="STATUS" operation="profile_load" name="/sbin/syslog-ng" pid=678 comm="apparmor_parser" [ 15.649548] type=1400 audit(1316065094.883:27): apparmor="DENIED" operation="open" parent=1924 profile="/sbin/syslog-ng" name="/sys/devices/system/cpu/online" pid=1925 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 15.717490] type=1400 audit(1316065094.950:28): apparmor="DENIED" operation="open" parent=1926 profile="/sbin/syslog-ng" name="/var/run/syslog-ng/additional-log-sockets.conf" pid=1927 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 100.765518] type=1400 audit(1316065180.486:29): apparmor="DENIED" operation="open" parent=7523 profile="/sbin/syslog-ng" name="/sys/devices/system/cpu/online" pid=7526 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 100.780871] type=1400 audit(1316065180.502:30): apparmor="DENIED" operation="open" parent=7529 profile="/sbin/syslog-ng" name="/var/run/syslog-ng/additional-log-sockets.conf" pid=7530 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I have never seen the "/sys/devices/system/cpu/online" message before. The "/var/run/syslog-ng/additional-socets.conf" is something I added to /etc/apparmor.d/sbin.syslog-ng long time ago, when introduced syslog-ng 3.X to openSUSE. It's SuSE specific, and adds additional log sockets from chroot-s to syslog-ng.conf Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, on Donnerstag, 15. September 2011, Peter Czanik wrote:
On 09/15/2011 09:25 AM, Peter Czanik wrote:
On 09/14/2011 11:46 PM, Christian Boltz wrote:
AppArmor 2.7 (beta1) is in Factory since some hours.
Short version: please test it and report any problems you notice.
The first problem I noticed, that it does not seem to be in the default selection any more.
Unfortunately yes - there was a discussion about this about a month ago. I won't object if you can convince Coolo to re-add AppArmor to the default installation.
I did not enable capabilities support in the syslog-ng package, as it was enforced by AppArmor anyway. But I have to reconsider it, if AppArmor is not installed by default...
Even with AppArmor installed, making your package more secure is always a good idea. Or you just add a Requires: apparmor-profiles apparmor-utils ;-)
I have never seen the "/sys/devices/system/cpu/online" message before.
Reading this file doesn't look harmful at least.
The "/var/run/syslog-ng/additional-socets.conf" is something
This one had a slightly broken rule starting with - "/{var,/}" instead of "/{var/,}". I just commited both upstream. The fix will be in 2.7 beta2, which will be released in the next days. If you want to test the fixed profile now, you can download it from http://bazaar.launchpad.net/~apparmor- dev/apparmor/master/view/head:/profiles/apparmor.d/sbin.syslog-ng
I added to /etc/apparmor.d/sbin.syslog-ng long time ago, when introduced syslog-ng 3.X to openSUSE. It's SuSE specific, and adds additional log sockets from chroot-s to syslog-ng.conf
Did you see my talk about "the golden rules of bad programming" at the conference? You are following rule 6: Never submit your patches upstream. Keeping the patches in your package is fun: - you look like a professional if you can handle 50 patches in a package - you save upstream some work on reviewing and integrating the patches - you always have some fun when updating the package and your patches to the next version - you make the openSUSE package something exclusive that nobody else has ;-)) Seriously: Is there a special reason to keep the additional-sockets.conf patch specific to openSUSE? Otherwise please submit it upstream. Regards, Christian Boltz -- Insgesamt denke ich, dass es einfacher ist, sich eine Pistole anzuschaffen und sich in den Fuß zu schiessen. Das Ergebnis ist das gleiche, aber wenigstens belästigst du nicht andere dabei. (^-^) [Sandy Drobic in postfixbuch-users über a-s-k.sourceforge.net] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, FYI: on Donnerstag, 15. September 2011, Christian Boltz wrote:
The fix will be in 2.7 beta2, which will be released in the next days. If you want to test the fixed profile now,
... you can use the 2.7 beta2 packages from security:apparmor:factory - or wait until SR 82501 got accepted in Factory. Regards, Christian Boltz -- Versuchst du mal bitte zu formulieren, was du eigentlich möchtest? Mit diesem Posting hast du gute Chancen auf den "Marcel Stein Award". [Christian Paul in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, On 09/15/2011 10:47 PM, Christian Boltz wrote:
I did not enable capabilities support in the syslog-ng package, as it was enforced by AppArmor anyway. But I have to reconsider it, if AppArmor is not installed by default... Even with AppArmor installed, making your package more secure is always a good idea.
Or you just add a Requires: apparmor-profiles apparmor-utils ;-)
I tried it now and added --with-capabilities to configure, and BuildRequires: libcap-devel But starting syslog-ng now fails with: linux-0a57:~ # syslog-ng -v syslog-ng: Error parsing capabilities: cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p cap_syslog=ep I was told, that this is a sign of too old capabilities package... cap_syslog was added around 2.6.38 Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, on Montag, 19. September 2011, Peter Czanik wrote:
On 09/15/2011 10:47 PM, Christian Boltz wrote:
I did not enable capabilities support in the syslog-ng package, as it was enforced by AppArmor anyway. But I have to reconsider it, if AppArmor is not installed by default...
Even with AppArmor installed, making your package more secure is always a good idea.
Or you just add a Requires: apparmor-profiles apparmor-utils ;-)
I tried it now and added --with-capabilities to configure, and BuildRequires: libcap-devel But starting syslog-ng now fails with:
linux-0a57:~ # syslog-ng -v syslog-ng: Error parsing capabilities: cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_read_searc h,cap_dac_override,cap_chown,cap_fowner=p cap_syslog=ep
I was told, that this is a sign of too old capabilities package... cap_syslog was added around 2.6.38
Nice :-/ but not my area of responsibility ;-) Please direct update requests for libcap to # om libcap # [1] bugowner of Base:System/libcap : tiwai@suse.com maintainer of Base:System/libcap : - Or just to get this line in the syslog-ng.spec checked in: Requires: apparmor-profiles apparmor-utils ;-) Regards, Christian Boltz [1] "om" as in "osc maintainer -e openSUSE:Factory" - this alias is quite useful ;-) Please don't confuse it with my (non-random) signature... --
....Ommmmmm ....Ommmmmm .....Ommmmmm Pendel ----Pendel-----Pendel------ Mensch Axel: Sonst machst Du das doch mit der Glaskugel. Ist die schon wieder in der Spülmaschine? [Axel Lindlau u. Volker Kroll in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, On 09/19/2011 07:54 PM, Christian Boltz wrote:
Hello,
on Montag, 19. September 2011, Peter Czanik wrote:
On 09/15/2011 10:47 PM, Christian Boltz wrote:
I did not enable capabilities support in the syslog-ng package, as it was enforced by AppArmor anyway. But I have to reconsider it, if AppArmor is not installed by default... Even with AppArmor installed, making your package more secure is always a good idea.
Or you just add a Requires: apparmor-profiles apparmor-utils ;-) I tried it now and added --with-capabilities to configure, and BuildRequires: libcap-devel But starting syslog-ng now fails with:
linux-0a57:~ # syslog-ng -v syslog-ng: Error parsing capabilities: cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_read_searc h,cap_dac_override,cap_chown,cap_fowner=p cap_syslog=ep
I was told, that this is a sign of too old capabilities package... cap_syslog was added around 2.6.38 Nice :-/ but not my area of responsibility ;-)
Please direct update requests for libcap to
# om libcap # [1] bugowner of Base:System/libcap : tiwai@suse.com Please update libcap to at least 2.20 (factory has 2.19) as that is the first version knowing about CAP_SYSLOG according to http://sites.google.com/site/fullycapable/release-notes-for-libcap
Or just to get this line in the syslog-ng.spec checked in: Requires: apparmor-profiles apparmor-utils ;-) Well, I'd love to, but syslog-ng is probably not the right package to pull it in. Do you have a pointer why it not installed by default any more? I did a quick search of the archives, but could not find it. Personally I think it was one of the best features of openSUSE. Unlike SELinux, it does not require a PhD in computer security to get it working... Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Peter Czanik wrote:
Personally I think it was one of the best features of openSUSE. Unlike SELinux, it does not require a PhD in computer security to get it working... Bye,
+1 -- Per Jessen, Zürich (11.0°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
At Mon, 19 Sep 2011 19:54:26 +0200, Christian Boltz wrote:
Hello,
on Montag, 19. September 2011, Peter Czanik wrote:
On 09/15/2011 10:47 PM, Christian Boltz wrote:
I did not enable capabilities support in the syslog-ng package, as it was enforced by AppArmor anyway. But I have to reconsider it, if AppArmor is not installed by default...
Even with AppArmor installed, making your package more secure is always a good idea.
Or you just add a Requires: apparmor-profiles apparmor-utils ;-)
I tried it now and added --with-capabilities to configure, and BuildRequires: libcap-devel But starting syslog-ng now fails with:
linux-0a57:~ # syslog-ng -v syslog-ng: Error parsing capabilities: cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_read_searc h,cap_dac_override,cap_chown,cap_fowner=p cap_syslog=ep
I was told, that this is a sign of too old capabilities package... cap_syslog was added around 2.6.38
Nice :-/ but not my area of responsibility ;-)
Please direct update requests for libcap to
# om libcap # [1] bugowner of Base:System/libcap : tiwai@suse.com
maintainer of Base:System/libcap : -
As kernel.org is down, I can't get the latest source for now. If anyone already updated it, feel free to submit. thanks, Takashi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Tuesday, September 20, 2011 09:06:22 Takashi Iwai wrote:
At Mon, 19 Sep 2011 19:54:26 +0200,
Christian Boltz wrote:
Hello,
on Montag, 19. September 2011, Peter Czanik wrote:
On 09/15/2011 10:47 PM, Christian Boltz wrote:
I did not enable capabilities support in the syslog-ng package, as it was enforced by AppArmor anyway. But I have to reconsider it, if AppArmor is not installed by default...
Even with AppArmor installed, making your package more secure is always a good idea.
Or you just add a Requires: apparmor-profiles apparmor-utils ;-)
I tried it now and added --with-capabilities to configure, and BuildRequires: libcap-devel But starting syslog-ng now fails with:
linux-0a57:~ # syslog-ng -v syslog-ng: Error parsing capabilities: cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_read_searc h,cap_dac_override,cap_chown,cap_fowner=p cap_syslog=ep
I was told, that this is a sign of too old capabilities package... cap_syslog was added around 2.6.38
Nice :-/ but not my area of responsibility ;-)
Please direct update requests for libcap to
# om libcap # [1] bugowner of Base:System/libcap : tiwai@suse.com
maintainer of Base:System/libcap : -
As kernel.org is down, I can't get the latest source for now. If anyone already updated it, feel free to submit.
I found 2.22 - will update and do a submitrequest, Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
At Tue, 20 Sep 2011 09:34:18 +0200, Andreas Jaeger wrote:
On Tuesday, September 20, 2011 09:06:22 Takashi Iwai wrote:
At Mon, 19 Sep 2011 19:54:26 +0200,
Christian Boltz wrote:
Hello,
on Montag, 19. September 2011, Peter Czanik wrote:
On 09/15/2011 10:47 PM, Christian Boltz wrote:
> I did not enable capabilities support > in the syslog-ng package, as it was enforced by AppArmor anyway. > But I have to reconsider it, if AppArmor is not installed by > default...
Even with AppArmor installed, making your package more secure is always a good idea.
Or you just add a Requires: apparmor-profiles apparmor-utils ;-)
I tried it now and added --with-capabilities to configure, and BuildRequires: libcap-devel But starting syslog-ng now fails with:
linux-0a57:~ # syslog-ng -v syslog-ng: Error parsing capabilities: cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_read_searc h,cap_dac_override,cap_chown,cap_fowner=p cap_syslog=ep
I was told, that this is a sign of too old capabilities package... cap_syslog was added around 2.6.38
Nice :-/ but not my area of responsibility ;-)
Please direct update requests for libcap to
# om libcap # [1] bugowner of Base:System/libcap : tiwai@suse.com
maintainer of Base:System/libcap : -
As kernel.org is down, I can't get the latest source for now. If anyone already updated it, feel free to submit.
I found 2.22 - will update and do a submitrequest,
Thanks! Takashi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 09/20/2011 09:34 AM, Andreas Jaeger wrote:
On Tuesday, September 20, 2011 09:06:22 Takashi Iwai wrote:
At Mon, 19 Sep 2011 19:54:26 +0200,
Christian Boltz wrote:
Hello,
on Montag, 19. September 2011, Peter Czanik wrote:
On 09/15/2011 10:47 PM, Christian Boltz wrote:
> I did not enable capabilities support > in the syslog-ng package, as it was enforced by AppArmor anyway. > But I have to reconsider it, if AppArmor is not installed by > default... Even with AppArmor installed, making your package more secure is always a good idea.
Or you just add a Requires: apparmor-profiles apparmor-utils ;-) I tried it now and added --with-capabilities to configure, and BuildRequires: libcap-devel But starting syslog-ng now fails with:
linux-0a57:~ # syslog-ng -v syslog-ng: Error parsing capabilities: cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_read_searc h,cap_dac_override,cap_chown,cap_fowner=p cap_syslog=ep
I was told, that this is a sign of too old capabilities package... cap_syslog was added around 2.6.38 Nice :-/ but not my area of responsibility ;-)
Please direct update requests for libcap to
# om libcap # [1] bugowner of Base:System/libcap : tiwai@suse.com
maintainer of Base:System/libcap : - As kernel.org is down, I can't get the latest source for now. If anyone already updated it, feel free to submit. I found 2.22 - will update and do a submitrequest, Thank you! Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (6)
-
Andreas Jaeger
-
Christian Boltz
-
Per Jessen
-
Peter Czanik
-
Roger Luedecke
-
Takashi Iwai