Actions
action #111036
closed[sle][security][backlog] test should fails in apache2_changehat: as there are some unexpected "DENIED" audit records
Start date:
2022-05-13
Due date:
% Done:
100%
Estimated time:
8.00 h
Difficulty:
Description
Test should fails in apache2_changehat: as there are some unexpected "DENIED" audit records:
Such as:
http://openqa.suse.de/tests/8739779#step/apache2_changehat/132
apache2_changehat-audit.log
grep DENIED apache2_changehat-audit_log
type=AVC msg=audit(1652335921.062:792): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="run/nscd/dbmw7g9I" pid=8036 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.078:793): apparmor="DENIED" operation="open" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/openssl.cnf" pid=8036 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.078:794): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="var/lib/nscd/passwd" pid=8036 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.078:795): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="var/lib/nscd/group" pid=8036 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.086:796): apparmor="DENIED" operation="signal" profile="/usr/sbin/httpd-prefork" pid=8036 comm="httpd-prefork" requested_mask="send" denied_mask="send" signal=winch peer="unconfined"
type=AVC msg=audit(1652335921.238:798): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="run/nscd/dbmw7g9I" pid=8044 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.250:799): apparmor="DENIED" operation="open" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/openssl.cnf" pid=8044 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.250:800): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="var/lib/nscd/passwd" pid=8044 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.250:801): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="var/lib/nscd/group" pid=8044 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335951.710:807): apparmor="DENIED" operation="mknod" profile="/usr/sbin/httpd-prefork//adminer" name="/tmp/adminer.version" pid=8051 comm="httpd-prefork" requested_mask="c" denied_mask="c" fsuid=465 ouid=465
apache2_changehat-error_log
Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FOREGROUND'
[Thu May 12 02:10:45.882086 2022] [apparmor:error] [pid 7934] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Thu May 12 02:10:45.882244 2022] [apparmor:error] [pid 7935] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Thu May 12 02:10:45.882395 2022] [apparmor:error] [pid 7933] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Thu May 12 02:10:45.883003 2022] [apparmor:error] [pid 7936] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Thu May 12 02:10:45.883117 2022] [apparmor:error] [pid 7932] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
Updated by llzhao almost 2 years ago
FYI also: Bug 1191684 - Apparmor profile test case "apache2_changehat" found some "DENIED" audit records of profile="/usr/sbin/httpd-prefork"
Updated by rfan1 almost 2 years ago
Bug 1191684 - Apparmor profile test case "apache2_changehat" found some "DENIED" audit records of profile="/usr/sbin/httpd-prefork" (edit)
Let me try to enhance the test code
Updated by rfan1 almost 2 years ago
- Assignee changed from StarryWang to rfan1
assign back to myself since Starry is pto
Updated by rfan1 almost 2 years ago
Updated by rfan1 almost 2 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 50
- Estimated time changed from 16.00 h to 8.00 h
Updated by rfan1 almost 2 years ago
- Status changed from In Progress to Feedback
- % Done changed from 50 to 90
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14968
Let me check the next O3 result, and mark the bug number
Updated by rfan1 almost 2 years ago
- Status changed from Feedback to Resolved
- % Done changed from 90 to 100
Actions