https://bugzilla.novell.com/show_bug.cgi?id=408877
Summary: logprof drops the complain flag from subprofiles
Product: openSUSE 11.0
Version: Final
Platform: Other
OS/Version: Other
Status: NEW
Severity: Critical
Priority: P5 - None
Component: AppArmor
AssignedTo: jjohansen@novell.com
ReportedBy: poeml@novell.com
QAContact: qa@suse.de
Found By: ---
I set a profile (/usr/sbin/sshd) into complain mode (with the
'complain' tool), which added the flag to all profiles:
===================================================================
--- usr.sbin.sshd (revision 61)
+++ usr.sbin.sshd (revision 62)
@@ -69,7 +69,7 @@
@{PROC}/[0-9]*/mounts r,
- ^AUTHENTICATED {
+ ^AUTHENTICATED flags=(complain) {
#include
#include
#include
@@ -91,7 +91,7 @@
}
- ^EXEC {
+ ^EXEC flags=(complain) {
#include
@@ -108,7 +108,7 @@
}
- ^PRIVSEP {
+ ^PRIVSEP flags=(complain) {
#include
#include
@@ -120,7 +120,7 @@
}
- ^PRIVSEP_MONITOR {
+ ^PRIVSEP_MONITOR flags=(complain) {
#include
#include
#include
===================================================================
Now, running logprof shows two problems. The one is that it suggests changes,
which it will write, but it will suggest them the next time again:
===================================================================
Profile: /usr/sbin/sshd
Path: /var/log/wtmp
Old Mode: w
New Mode: w + owner k
Severity: unknown
[1 - /var/log/wtmp]
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish /
(O)pts
Adding /var/log/wtmp w + owner k to profile.
Profile: /usr/sbin/sshd
Path: /var/run/utmp
Old Mode: rw
New Mode: rw + owner k
Severity: unknown
[1 - /var/run/utmp]
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish /
(O)pts
===================================================================
(I get these suggestions each time I run logprof, even though there are in the
profile. This is similar to the other bug I reported, where the network
mediation flags are ignored.)
But logprof does a change, which is unintended. It removes the complain flag
from the subprofiles:
===================================================================
--- usr.sbin.sshd (revision 62)
+++ usr.sbin.sshd (working copy)
@@ -1,4 +1,4 @@
-# Last Modified: Mon Jul 14 14:29:09 2008
+# Last Modified: Mon Jul 14 14:34:41 2008
# $Id: usr.sbin.sshd 697 2007-05-25 03:09:30Z steve-beattie $
# ------------------------------------------------------------------
#
@@ -69,7 +69,7 @@
@{PROC}/[0-9]*/mounts r,
- ^AUTHENTICATED flags=(complain) {
+ ^AUTHENTICATED {
#include
#include
#include
@@ -91,7 +91,7 @@
}
- ^EXEC flags=(complain) {
+ ^EXEC {
#include
@@ -108,7 +108,7 @@
}
- ^PRIVSEP flags=(complain) {
+ ^PRIVSEP {
#include
#include
@@ -120,7 +120,7 @@
}
- ^PRIVSEP_MONITOR flags=(complain) {
+ ^PRIVSEP_MONITOR {
#include
#include
#include
===================================================================
I gave this bug a higher severity because it looks as if it has the
potential to lock the admin out.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.