Project

General

Profile

action #44960

apparmor denies access to asset cache on o3

Added by okurz over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Concrete Bugs
Target version:
Start date:
2018-12-10
Due date:
% Done:

0%

Estimated time:
Difficulty:
easy
Duration:

Description

[10/12/2018 16:25:15] <okurz> coolo, Martchus: https://openqa.opensuse.org/admin/assets tells me "Unable to request asset status: cache file for asset status not found", any hints?
[10/12/2018 16:30:24] <coolo> okurz: I blame apparmor :)
[10/12/2018 16:31:25] <coolo> okurz: file an issue
[10/12/2018 16:31:26] <coolo> type=AVC msg=audit(1544396713.147:609410): apparmor="DENIED" operation="mknod" profile="/usr/share/openqa/script/openqa" name="/var/lib/openqa/webui/cache/asset-status.json" pid=10471 comm="openqa" requested_mask="c" denied_mask="c" fsuid=493 ouid=49

History

#1 Updated by coolo over 1 year ago

  • Subject changed from apparmor denies access to asset cache on o3? to apparmor denies access to asset cache on o3
  • Target version set to Current Sprint
  • Difficulty set to easy

#2 Updated by mkittler over 1 year ago

  • Assignee set to mkittler

I actually took that into account: https://github.com/os-autoinst/openQA/commit/e273827a88bafe42f773ca22f1305973a3552880#diff-1301a83c168a26018ba7608a50a83e16

Not sure what is missing. The directory it attempts to access seems to match the one I've added to the apparmor profile.

#3 Updated by okurz over 1 year ago

I can see that the page now works correctly after someone or something restarted/reloaded apparmor on o3. Maybe we can introduce a dependency of the services on the apparmor service so that the apparmor service reloads whenever the other services restart?

#4 Updated by coolo over 1 year ago

the services don't matter - but apparmor needs to be restarted on deployment. And I'm pretty sure we had code for that in our spec files - that obviously no longer works as apparmor was running since 7 weeks when I looked yesterday.

Transactional reboots to the rescue ;)

#5 Updated by okurz over 1 year ago

I don't understand "services don't matter - but apparmor needs to be restarted".

There is

%postun
%service_del_postun %{openqa_services}
%restart_on_update boot.apparmor

in
https://github.com/os-autoinst/openQA/blob/master/openQA.spec#L332

I don't know what "boot.apparmor" is, shouldn't it just be "apparmor" instead of "boot.apparmor"?

#6 Updated by coolo over 1 year ago

"the services don't matter" == "it doesn't matter when our services are restarted". But it does matter when our apparmor profile changes - on deployment.

So the spec file needs to be fixed, boot.apparmor is 12SP2 material - but we're on >SP3 everywhere

#7 Updated by mkittler over 1 year ago

  • Status changed from New to In Progress

#8 Updated by okurz over 1 year ago

  • Status changed from In Progress to Feedback
  • Assignee changed from mkittler to okurz

PR merged. Thanks! I will check on next deployment if the service is properly triggered.

#9 Updated by mkittler over 1 year ago

  • Status changed from Feedback to Resolved
  • Assignee changed from okurz to mkittler

I've just had a look and it now works.

Also available in: Atom PDF