[opensuse-factory] Update to AppArmor 2.13 results in a non-working aa-logprof
Hi Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages File "/usr/sbin/aa-logprof", line 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line): Is this a known issue? Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op zondag 29 april 2018 19:36:08 CEST schreef Frank Krüger:
Hi
Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages
File "/usr/sbin/aa-logprof", line 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line):
Is this a known issue?
Regards, Frank Let it run for 15 minutes, it pushed on core to 100%, after hitting Ctrl-C I see the same error messages.
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 29.04.2018 um 19:45 schrieb Knurpht @ openSUSE:
Op zondag 29 april 2018 19:36:08 CEST schreef Frank Krüger:
Hi
Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages
File "/usr/sbin/aa-logprof", line 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line):
Is this a known issue?
Regards, Frank Let it run for 15 minutes, it pushed on core to 100%, after hitting Ctrl-C I see the same error messages.
I can confirm your observation. Thx. I am still puzzled, because with version 2.12 the apparmor profiles are updated almost immediately. Bug or feature? Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Frank Krüger <fkrueger@mailbox.org> [04-29-18 13:38]:
Hi
Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages
File "/usr/sbin/aa-logprof", line 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line):
Is this a known issue?
Tw 20170425 libapparmor1-2.13-2.1.x86_64 # time aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. real 0m0.915s user 0m0.907s sys 0m0.008s guess I don't "know" it. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 29.04.2018 um 20:21 schrieb Patrick Shanahan:
* Frank Krüger <fkrueger@mailbox.org> [04-29-18 13:38]:
Hi
Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages
File "/usr/sbin/aa-logprof", lne 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line):
Tw 20170425 libapparmor1-2.13-2.1.x86_64
# time aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d.
real 0m0.915s user 0m0.907s sys 0m0.008s
Which is different from my findings: time aa-logprof: Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. real 4m30.135s user 4m21.425s sys 0m0.243s for TW20180425 and libapparmor1-2.13-2.1.x86_64. Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Sonntag, 29. April 2018, 19:36:08 CEST schrieb Frank Krüger:
Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages
File "/usr/sbin/aa-logprof", line 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line):
Is this a known issue?
No, that sounds new to me. (Also, aa-logprof shouldn't run for several minutes, maybe except if you have a really big logfile > 100 MB, and for sure it shouldn't spend minutes in load_include.) That said - I was able to reproduce the problem, and wonder why it didn't hit me before. The biggest change in 2.13 [1] is support for shipping precompiled cache and having multiple cache directories. This also comes with a new cache directory layout, including a new symlink /etc/apparmor.d/cache.d pointing to the real cache directory. Exactly that symlink causes the problem you see, because aa-logprof tries to parse all (binary) files in /etc/apparmor.d/cache.d/ :-( @Patrick: If you are unable to reproduce this bug, your profiles probably match exactly the upstream profiles, so /etc/apparmor.d/cache.d/ (symlink to /var/cache/apparmor/) is empty and only the precompiled cache in /usr/share/apparmor/cache/ gets used. An additional condition is that you don't have profiles installed by other packages (which don't include precompiled cache yet). That said - I can offer a selection of hotfixes. Pick one ;-) a) apply the following patch to /usr/lib/python3.6/site-packages/apparmor/aa.py --- /usr/lib/python3.6/site-packages/apparmor/aa.py_ORIG +++ /usr/lib/python3.6/site-packages/apparmor/aa.py @@ -2048,7 +2048,7 @@ def is_skippable_file(path): return False def is_skippable_dir(path): - if re.search('^(.*/)?(disable|cache|force-complain|lxc|\.git)/?$', path): + if re.search('^(.*/)?(disable|cache|cache\.d|force-complain|lxc|\.git)/?$', path): return True return False to exclude the "cache.d" symlink/directory from parsing. - or - b) grab the latest python3-apparmor package from security:apparmor (building right now) which includes the patch from a) - or - c) wait until SR 602408 (with the packages from b) reaches Tumbleweed ;-) Regards, Christian Boltz [1] looks like naming it 2.13 did what that number promised... -- [20:01] * mrdocs grabs a snack first [20:01] <suseROCKs> hmm last time mrdocs said he was going to grab a snack, we didn't see him again for a week [from #opensuse-project] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 30.04.2018 um 01:33 schrieb Christian Boltz:
Hello,
Am Sonntag, 29. April 2018, 19:36:08 CEST schrieb Frank Krüger:
Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages
File "/usr/sbin/aa-logprof", line 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line):
Is this a known issue?
No, that sounds new to me. (Also, aa-logprof shouldn't run for several minutes, maybe except if you have a really big logfile > 100 MB, and for sure it shouldn't spend minutes in load_include.)
That said - I was able to reproduce the problem, and wonder why it didn't hit me before.
The biggest change in 2.13 [1] is support for shipping precompiled cache and having multiple cache directories. This also comes with a new cache directory layout, including a new symlink /etc/apparmor.d/cache.d pointing to the real cache directory.
Exactly that symlink causes the problem you see, because aa-logprof tries to parse all (binary) files in /etc/apparmor.d/cache.d/ :-(
@Patrick: If you are unable to reproduce this bug, your profiles probably match exactly the upstream profiles, so /etc/apparmor.d/cache.d/ (symlink to /var/cache/apparmor/) is empty and only the precompiled cache in /usr/share/apparmor/cache/ gets used. An additional condition is that you don't have profiles installed by other packages (which don't include precompiled cache yet).
That said - I can offer a selection of hotfixes. Pick one ;-)
a) apply the following patch to /usr/lib/python3.6/site-packages/apparmor/aa.py
--- /usr/lib/python3.6/site-packages/apparmor/aa.py_ORIG +++ /usr/lib/python3.6/site-packages/apparmor/aa.py @@ -2048,7 +2048,7 @@ def is_skippable_file(path): return False
def is_skippable_dir(path): - if re.search('^(.*/)?(disable|cache|force-complain|lxc|\.git)/?$', path): + if re.search('^(.*/)?(disable|cache|cache\.d|force-complain|lxc|\.git)/?$', path): return True return False
to exclude the "cache.d" symlink/directory from parsing.
- or -
b) grab the latest python3-apparmor package from security:apparmor (building right now) which includes the patch from a)
Thank you for the speedy fix. Using python3-apparmor from the security apparmor repo, it works as expected: time aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. real 0m1,533s user 0m1,449s sys 0m0,068s Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 30.04.2018 um 07:34 schrieb Frank Krüger:
Am 30.04.2018 um 01:33 schrieb Christian Boltz:
Hello,
Am Sonntag, 29. April 2018, 19:36:08 CEST schrieb Frank Krüger:
Given Tumbleweed 20180424 with apparmor 2.13 the command "aa-logprof" (as root)bhangs, with the error messages
File "/usr/sbin/aa-logprof", line 54, in <module> apparmor.loadincludes() File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3569, in loadincludes load_include(fi) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 3532, in load_include incdata = parse_profile_data(data, incfile, True) File "/usr/lib/python3.6/site-packages/apparmor/aa.py", line 2509, in parse_profile_data elif not RE_RULE_HAS_COMMA.search(line):
Is this a known issue?
No, that sounds new to me. (Also, aa-logprof shouldn't run for several minutes, maybe except if you have a really big logfile > 100 MB, and for sure it shouldn't spend minutes in load_include.)
That said - I was able to reproduce the problem, and wonder why it didn't hit me before.
The biggest change in 2.13 [1] is support for shipping precompiled cache and having multiple cache directories. This also comes with a new cache directory layout, including a new symlink /etc/apparmor.d/cache.d pointing to the real cache directory.
Exactly that symlink causes the problem you see, because aa-logprof tries to parse all (binary) files in /etc/apparmor.d/cache.d/ :-(
@Patrick: If you are unable to reproduce this bug, your profiles probably match exactly the upstream profiles, so /etc/apparmor.d/cache.d/ (symlink to /var/cache/apparmor/) is empty and only the precompiled cache in /usr/share/apparmor/cache/ gets used. An additional condition is that you don't have profiles installed by other packages (which don't include precompiled cache yet).
Thank you for the speedy fix. Using python3-apparmor from the security apparmor repo, it works as expected:
The issue is fixed with TW20180429.Thx. Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Christian Boltz -
Frank Krüger -
Knurpht @ openSUSE -
Patrick Shanahan