[opensuse-security] apparmor DENIED despite rule
Hello, I get messages like type=AVC msg=audit(1408524808.350:451575): apparmor="DENIED" operation="open" profile="/usr/bin/vlc" name="/usr/share/icons/oxygen/index.theme" pid=11244 comm="vlc" requested_mask="r" denied_mask="r" fsuid=500 ouid=0 Though I have set this rule: /usr/share/icons/**/ rk, I wonder, why does this rule not work? Similar things happen with other thins. Thanks
On Wed, Aug 20, 2014 at 10:57:04AM +0200, pinguin74 wrote:
Hello,
I get messages like
type=AVC msg=audit(1408524808.350:451575): apparmor="DENIED" operation="open" profile="/usr/bin/vlc" name="/usr/share/icons/oxygen/index.theme" pid=11244 comm="vlc" requested_mask="r" denied_mask="r" fsuid=500 ouid=0
Though I have set this rule:
/usr/share/icons/**/ rk,
I wonder, why does this rule not work?
Similar things happen with other thins.
logprof should decode and handle that. Also, is the new profile loaded? If you just edit it with text editor, it will not become active automatically Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Am 20.08.2014 11:08, schrieb Marcus Meissner:
On Wed, Aug 20, 2014 at 10:57:04AM +0200, pinguin74 wrote:
Hello,
I get messages like
type=AVC msg=audit(1408524808.350:451575): apparmor="DENIED" operation="open" profile="/usr/bin/vlc" name="/usr/share/icons/oxygen/index.theme" pid=11244 comm="vlc" requested_mask="r" denied_mask="r" fsuid=500 ouid=0
Though I have set this rule:
/usr/share/icons/**/ rk,
I wonder, why does this rule not work?
Similar things happen with other thins.
logprof
should decode and handle that.
Also, is the new profile loaded? If you just edit it with text editor, it will not become active automatically
I guess it was bad syntax, instead of /usr/share/icons/**/ rk, I think it should be /usr/share/icons/** rk, One more thing, I get access requests, I don´t understand: type=AVC msg=audit(1408525713.601:451780): apparmor="DENIED" operation="open" profile="/usr/bin/vlc" name=2F686F6D652F6D616C74655F67656C6C2F2E69636F6E732F4772696666696E20456D6265727320437572736F72732F637572736F72732F6C6566745F707472 pid=11933 comm="vlc" requested_mask="r" denied_mask="r" fsuid=500 ouid=5 What is this numeric monster 2F686F6D652F6D616C74655F67656C6C2..... vlc wants to access? Thanks
On Wed, Aug 20, 2014 at 11:13:16AM +0200, pinguin74 wrote:
Am 20.08.2014 11:08, schrieb Marcus Meissner:
On Wed, Aug 20, 2014 at 10:57:04AM +0200, pinguin74 wrote:
Hello,
I get messages like
type=AVC msg=audit(1408524808.350:451575): apparmor="DENIED" operation="open" profile="/usr/bin/vlc" name="/usr/share/icons/oxygen/index.theme" pid=11244 comm="vlc" requested_mask="r" denied_mask="r" fsuid=500 ouid=0
Though I have set this rule:
/usr/share/icons/**/ rk,
I wonder, why does this rule not work?
Similar things happen with other thins.
logprof
should decode and handle that.
Also, is the new profile loaded? If you just edit it with text editor, it will not become active automatically
I guess it was bad syntax, instead of
/usr/share/icons/**/ rk,
I think it should be
/usr/share/icons/** rk,
One more thing, I get access requests, I don´t understand:
type=AVC msg=audit(1408525713.601:451780): apparmor="DENIED" operation="open" profile="/usr/bin/vlc" name=2F686F6D652F6D616C74655F67656C6C2F2E69636F6E732F4772696666696E20456D6265727320437572736F72732F637572736F72732F6C6566745F707472 pid=11933 comm="vlc" requested_mask="r" denied_mask="r" fsuid=500 ouid=5
What is this numeric monster 2F686F6D652F6D616C74655F67656C6C2..... vlc wants to access?
It is ascii encoded string with special characters. (where special can be SPACE or ") 2F = / 68 = h 6F = o ... There seems to be as space (20) inside a path you access. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
What is this numeric monster 2F686F6D652F6D616C74655F67656C6C2..... vlc wants to access?
It is ascii encoded string with special characters. (where special can be SPACE or ")
2F = / 68 = h 6F = o ...
There seems to be as space (20) inside a path you access.
That´s odd, do I need now to first decode all these numeric strings....
Hello, Am Mittwoch, 20. August 2014 schrieb pinguin74:
What is this numeric monster 2F686F6D652F6D616C74655F67656C6C2..... vlc wants to access?
It is ascii encoded string with special characters. (where special can be SPACE or ")
2F = / 68 = h 6F = o ...
There seems to be as space (20) inside a path you access.
That´s odd, do I need now to first decode all these numeric strings....
If you are bored, you can decode it manually. Otherwise, just run aa-decode 2F686F6D652F6D616C74655F67656C6C2F2E69636F6E732F4772696666696E20456D6265727320437572736F72732F637572736F72732F6C6566745F707472 ;-) You can also pipe the logfile through aa-decode, and it will decode everything on the fly: tail -f /var/log/audit/audit.log | aa-decode Regards, Christian Boltz --
It's several weeks since I last got bitten by this. Maybe this is only luck, or maybe this is caused by some application which I am using and which got fixed meanwhile. Ah ah, of course I only had to write that for it to happen again to me today! [Jean Delvare in https://bugzilla.novell.com/782909#c6 and #c7]
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, Aug 20, 2014 at 11:13:16AM +0200, pinguin74 wrote:
I guess it was bad syntax, instead of
/usr/share/icons/**/ rk,
I think it should be
/usr/share/icons/** rk,
It's not bad syntax, the rules just do different things. With the first rule you match every directory below /usr/share/icons/, with the second rule you match everything below /usr/share/icons/ Johannes -- Johannes Segitz SuSE Security Team GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 SUSE LINUX Products GmbH Maxfeldstraße 5 90409 Nürnberg Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
participants (4)
-
Christian Boltz -
Johannes Segitz -
Marcus Meissner -
pinguin74