-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I post this here so that the maintainer of apparmour sees it and corrects what I think are bugs. When I installed 10.1 I had to add some rules to apparmour or postfix mail delivery with amavis would fail. These are my modifications I did then: /etc/apparmor.d/usr.lib.postfix.qmgr: /{var/spool/postfix/,}private/smtp-amavis w, /{var/spool/postfix/,}public/flush w, /etc/apparmor.d/usr.lib.postfix.smtpd: /{var/spool/postfix,}/pid/inet.localhost rw, /{var/spool/postfix,}/pid/inet.localhost:10025 rw, /etc/apparmor.d/usr.lib.postfix.master: /usr/lib/postfix/lmtp px, These modifications petain to these log entries: Jul 5 13:03:05 nimrodel postfix/smtpd[5615]: fatal: open lock file pid/inet.localhost:10025: cannot open file: Operation not permit Jul 5 13:03:06 nimrodel postfix/master[22973]: warning: process /usr/lib/postfix/smtpd pid 5615 exit status 1 Jul 5 13:10:35 nimrodel postfix/master[5908]: warning: /usr/lib/postfix/lmtp: bad command startup -- throttling Jul 5 13:11:35 nimrodel master[5985]: fatal: master_spawn: exec /usr/lib/postfix/lmtp: Operation not permitted I don't know if the correct procedure is to modify those files directly, but that's what I did and it works. Now, I have another problem. Today I had some hundred emails being downloaded, and the command mailq took a long time before failing to complete. I saw this log entry: Jul 21 20:00:46 nimrodel postfix/showq[18412]: fatal: open incoming 564677F01D: Operation not permitted Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: process /usr/lib/postfix/showq pid 18412 exit status 1 Jul 21 20:00:47 nimrodel postfix/master[4587]: warning: /usr/lib/postfix/showq: bad command startup -- throttling Then I looked at /var/log/audit/audit.log, and sure, there was a problem: type=APPARMOR msg=audit(1153504846.751:1344): REJECTING r access to /var/spool/postfix/incoming/564677F01D (showq(18412) profile /usr/lib/postfix/showq active /usr/lib/postfix/showq) So I go to /etc/apparmor.d/usr.lib.postfix.showq, and see this: /{var/spool/postfix/,}incoming r, /{var/spool/postfix/,}incoming/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]* r, /{var/spool/postfix/,}incoming/[0-0A-F]* r, Now, the question: Should the last line be: /{var/spool/postfix/,}incoming/[0-9A-F]* r, instead? Notice that it is very dificult for me to test this: not till I get another mail with certain ID will it work or fail. Is this a bug? Should all those modifications be included by SuSE in a patch? - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEwhhXtTMYHG2NR9URAoGvAJ9ioB5ah2O2hrEYzfXQyFj3jnpSeQCeMbQP 6UYW04xk07bjBY2vOtCs0Oc= =6nKD -----END PGP SIGNATURE-----
Carlos E. R. wrote:
I post this here so that the maintainer of apparmour sees it and corrects what I think are bugs. Thank you! Yes, this is exactly what we need from users: discoveries of how your use cases differ from ours, so that we can improve the profiles.
However, the apparmor-general list is more specific, and therefore more appropriate, than the suse-security list, so I have posted to both and directed followups to apparmor-general.
When I installed 10.1 I had to add some rules to apparmour or postfix mail delivery with amavis would fail. These are my modifications I did then: ... I don't know if the correct procedure is to modify those files directly, but that's what I did and it works. AppArmor does allow you to manually modify the profiles, and the syntax was designed to make this easy to do.
However, the much, much easier way is to let AppArmor fix it for you. If you grep for APPARMOR in /var/log/audit/audit.log you will find REJECT events where AppArmor blocked the accesses that cause you problems. If you run the "logprof" program (as root, and not confined by AppArmor) it will inspect the audit.log file for events, and prompt you for what to do with them. It will automatically expand your profiles to allow the accesses that were blocked. Note: logprof does not know the difference between an access that was blocked because the profile was too tight, and an access blocked because an intruder was trying to hack in. So if you are running logprof on a machine exposed to the internet, please read the questions logprof asks and thing about the answers :)
Then I looked at /var/log/audit/audit.log, and sure, there was a problem:
type=APPARMOR msg=audit(1153504846.751:1344): REJECTING r access to /var/spool/postfix/incoming/564677F01D (showq(18412) profile /usr/lib/postfix/showq active /usr/lib/postfix/showq) Yes, like that :)
So I go to /etc/apparmor.d/usr.lib.postfix.showq, and see this:
/{var/spool/postfix/,}incoming r, /{var/spool/postfix/,}incoming/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]* r, /{var/spool/postfix/,}incoming/[0-0A-F]* r,
Now, the question: Should the last line be:
/{var/spool/postfix/,}incoming/[0-9A-F]* r,
instead? Yes.
Notice that it is very dificult for me to test this: not till I get another mail with certain ID will it work or fail. You are right, that is a very subtle bug.
IMHO, it is because the profile we shipped was hand-tuned to be as tight as possible, and the bug you found was a human-generated typo. It would not have happened if the profile had been automatically generated by logprof. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Hack: adroit engineering solution to an unanticipated problem Hacker: one who is adroit at pounding round pegs into square holes
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-07-23 at 22:23 -0700, Crispin Cowan wrote:
However, the apparmor-general list is more specific, and therefore more appropriate, than the suse-security list, so I have posted to both and directed followups to apparmor-general.
However, that list is not in http://www.suse.com/en/private/support/online_help/mailinglists/, thus I can't subscribe.
However, the much, much easier way is to let AppArmor fix it for you. If you grep for APPARMOR in /var/log/audit/audit.log you will find REJECT events where AppArmor blocked the accesses that cause you problems. If you run the "logprof" program (as root, and not confined by AppArmor) it will inspect the audit.log file for events, and prompt you for what to do with them. It will automatically expand your profiles to allow the accesses that were blocked.
I see. Yes, I'll use that next time.
Note: logprof does not know the difference between an access that was blocked because the profile was too tight, and an access blocked because an intruder was trying to hack in. So if you are running logprof on a machine exposed to the internet, please read the questions logprof asks and thing about the answers :)
Makes sense.
So I go to /etc/apparmor.d/usr.lib.postfix.showq, and see this:
/{var/spool/postfix/,}incoming r, /{var/spool/postfix/,}incoming/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F] r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* r, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]* r, /{var/spool/postfix/,}incoming/[0-0A-F]* r,
Now, the question: Should the last line be:
/{var/spool/postfix/,}incoming/[0-9A-F]* r,
instead? Yes.
Now comes a second problem: this weekend, YOU applied an update to apparmor.d, and the profile usr.lib.postfix.showq has dissapeared. In fact, all postfix profiles have dissapeared: nimrodel:~ # l /etc/apparmor.d/*postfix.* - -rw-r--r-- 1 root root 1998 Jul 5 13:12 /etc/apparmor.d/usr.lib.postfix.master.rpmsave - -rw-r--r-- 1 root root 3221 Jul 5 13:02 /etc/apparmor.d/usr.lib.postfix.qmgr.rpmsave - -rw-r--r-- 1 root root 2489 Jul 5 13:15 /etc/apparmor.d/usr.lib.postfix.smtpd.rpmsave See? Only the backups are there. Even grepping for the word "postfix" only finds it in 'program-chunks/postfix-common'. What now? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFExKxhtTMYHG2NR9URAjGfAKCJYIS3/LR/CiT8Ek8QSq841IUI/QCePOrR 4r2v3wMQ8a3k/bce8Rezbww= =KkQt -----END PGP SIGNATURE-----
Carlos E. R. wrote:
Now comes a second problem: this weekend, YOU applied an update to apparmor.d, and the profile usr.lib.postfix.showq has dissapeared. In fact, all postfix profiles have dissapeared:
Check /etc/apparmor/profiles/extras -- Joe Morris Registered Linux user 231871
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-07-24 at 21:56 +0800, Joe Morris (NTM) wrote:
Carlos E. R. wrote:
Now comes a second problem: this weekend, YOU applied an update to apparmor.d, and the profile usr.lib.postfix.showq has dissapeared. In fact, all postfix profiles have dissapeared:
Check /etc/apparmor/profiles/extras
Right, there it is, and with the bug. I have corrected it. I hate when they do these unexplained changes in mid-distro :-( ... The readme there states that those profiles are inactive. Ie, they have deactivated the postfix profiles, and many other problematic profiles. The dog is dead, so no rabies anymore, illnes cured :-( - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFExSYDtTMYHG2NR9URAjHrAJ9GXGsOcVFaBBttWdGgJAoS+S/UiQCfVtMg /59mR50b7/pGWlid7I1TenU= =ag88 -----END PGP SIGNATURE-----
Carlos E. R. wrote:
The Sunday 2006-07-23 at 22:23 -0700, Crispin Cowan wrote:
However, the apparmor-general list is more specific, and therefore more appropriate, than the suse-security list, so I have posted to both and directed followups to apparmor-general.
However, that list is not in http://www.suse.com/en/private/support/online_help/mailinglists/, thus I can't subscribe. It is here http://forge.novell.com/mailman/listinfo/apparmor-general
Crispin
participants (3)
-
Carlos E. R.
-
Crispin Cowan
-
Joe Morris (NTM)