[opensuse] apparmor / nfs: RPC call returned error 13
I have just 30mins ago updated a webserver which is on Leap15 on nfs root on real iron. Now I'm seeing an increasing number of $SUBJ. Kernel is the latest, 4.12.14-lp150.12.28-default. A simple thing such as : # less srv003057/logs/access-log-20181206.gz /usr/bin/lessopen.sh: line 31: mktemp: command not found "srv003057/logs/access-log-20181206.gz" may be a binary file. See it anyway? or # less srv003057/logs/access-log-20181206.gz /usr/bin/lessopen.sh: line 14: /usr/bin/grep: Permission denied /usr/bin/lessopen.sh: line 31: mktemp: command not found grep and mktemp are both present, but $SUBJ gets in the way. The NFS server was not changed, it's quite ancient. It looks like this happens with kernel 4.12.14-lp150.12.28 and 4.12.14-lp150.12.25, but with 4.12.14-lp150.12.16 there is no problem. Apparmor ? Yes indeed - type=AVC msg=audit(1545211515.082:140): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=4077 comm="lessopen.sh" laddr=10.42.8.240 lport=980 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6 type=AVC msg=audit(1545211515.082:141): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=4077 comm="lessopen.sh" laddr=10.42.8.240 lport=980 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6 type=AVC msg=audit(1545210738.216:264): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=5074 comm="grep" laddr=10.42.8.240 lport=795 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6 type=AVC msg=audit(1545210738.216:265): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=5074 comm="grep" laddr=10.42.8.240 lport=795 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6 Just to be complete, a few of these too: type=AVC msg=audit(1545209710.736:49): apparmor="DENIED" operation="open" profile="/usr/sbin/nscd" name="/etc/my.cnf" pid=1068 comm="nscd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1545209710.740:50): apparmor="DENIED" operation="open" profile="/usr/sbin/nscd" name="/etc/my.cnf" pid=1068 comm="nscd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I honestly can't think of why nscd should want to read /etc/my.cnf. I guess this "sendmsg" restriction is new in the most recent kernels? -- Per Jessen, Zürich (2.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Apparmor ?
Yes indeed -
type=AVC msg=audit(1545211515.082:140): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=4077 comm="lessopen.sh" laddr=10.42.8.240 lport=980 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6 type=AVC msg=audit(1545211515.082:141): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh" pid=4077 comm="lessopen.sh" laddr=10.42.8.240 lport=980 faddr=10.42.8.254 fport=2049 family="inet" sock_type="stream" protocol=6
See http://bugzilla.opensuse.org/show_bug.cgi?id=1119937 -- Per Jessen, Zürich (3.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (1)
-
Per Jessen