Project

General

Profile

action #111036

[sle][security][backlog] test should fails in apache2_changehat: as there are some unexpected "DENIED" audit records

Added by llzhao about 2 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Bugs in existing tests
Target version:
-
Start date:
2022-05-13
Due date:
% Done:

100%

Estimated time:
8.00 h
Difficulty:

Description

Test should fails in apache2_changehat: as there are some unexpected "DENIED" audit records:
Such as:
http://openqa.suse.de/tests/8739779#step/apache2_changehat/132

apache2_changehat-audit.log

grep DENIED apache2_changehat-audit_log 
type=AVC msg=audit(1652335921.062:792): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="run/nscd/dbmw7g9I" pid=8036 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.078:793): apparmor="DENIED" operation="open" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/openssl.cnf" pid=8036 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.078:794): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="var/lib/nscd/passwd" pid=8036 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.078:795): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="var/lib/nscd/group" pid=8036 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.086:796): apparmor="DENIED" operation="signal" profile="/usr/sbin/httpd-prefork" pid=8036 comm="httpd-prefork" requested_mask="send" denied_mask="send" signal=winch peer="unconfined"
type=AVC msg=audit(1652335921.238:798): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="run/nscd/dbmw7g9I" pid=8044 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.250:799): apparmor="DENIED" operation="open" profile="/usr/sbin/httpd-prefork" name="/etc/ssl/openssl.cnf" pid=8044 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.250:800): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="var/lib/nscd/passwd" pid=8044 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335921.250:801): apparmor="DENIED" operation="file_receive" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/httpd-prefork" name="var/lib/nscd/group" pid=8044 comm="httpd-prefork" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1652335951.710:807): apparmor="DENIED" operation="mknod" profile="/usr/sbin/httpd-prefork//adminer" name="/tmp/adminer.version" pid=8051 comm="httpd-prefork" requested_mask="c" denied_mask="c" fsuid=465 ouid=465

apache2_changehat-error_log

Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FOREGROUND'
[Thu May 12 02:10:45.882086 2022] [apparmor:error] [pid 7934] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Thu May 12 02:10:45.882244 2022] [apparmor:error] [pid 7935] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Thu May 12 02:10:45.882395 2022] [apparmor:error] [pid 7933] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Thu May 12 02:10:45.883003 2022] [apparmor:error] [pid 7936] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Thu May 12 02:10:45.883117 2022] [apparmor:error] [pid 7932] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'

History

#1 Updated by llzhao about 2 months ago

  • Category set to Bugs in existing tests

#2 Updated by llzhao about 2 months ago

FYI also: Bug 1191684 - Apparmor profile test case "apache2_changehat" found some "DENIED" audit records of profile="/usr/sbin/httpd-prefork"

#3 Updated by llzhao about 2 months ago

  • Assignee set to llzhao

#4 Updated by llzhao about 2 months ago

  • Assignee changed from llzhao to shawnhao

#5 Updated by llzhao about 2 months ago

  • Assignee changed from shawnhao to llzhao

#6 Updated by llzhao about 2 months ago

  • Assignee changed from llzhao to rfan1

#7 Updated by rfan1 about 2 months ago

Bug 1191684 - Apparmor profile test case "apache2_changehat" found some "DENIED" audit records of profile="/usr/sbin/httpd-prefork" (edit)

Let me try to enhance the test code

#8 Updated by rfan1 about 1 month ago

  • Assignee changed from rfan1 to StarryWang

#9 Updated by rfan1 about 1 month ago

  • Assignee changed from StarryWang to rfan1

assign back to myself since Starry is pto

#11 Updated by rfan1 about 1 month ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 50
  • Estimated time changed from 16.00 h to 8.00 h

#12 Updated by rfan1 about 1 month ago

  • Status changed from In Progress to Feedback
  • % Done changed from 50 to 90

https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14968
Let me check the next O3 result, and mark the bug number

#13 Updated by rfan1 about 1 month ago

  • Status changed from Feedback to Resolved
  • % Done changed from 90 to 100

Also available in: Atom PDF