action #44960
closedapparmor denies access to asset cache on o3
0%
Description
[10/12/2018 16:25:15] <okurz> coolo, Martchus: https://openqa.opensuse.org/admin/assets tells me "Unable to request asset status: cache file for asset status not found", any hints?
[10/12/2018 16:30:24] <coolo> okurz: I blame apparmor :)
[10/12/2018 16:31:25] <coolo> okurz: file an issue
[10/12/2018 16:31:26] <coolo> type=AVC msg=audit(1544396713.147:609410): apparmor="DENIED" operation="mknod" profile="/usr/share/openqa/script/openqa" name="/var/lib/openqa/webui/cache/asset-status.json" pid=10471 comm="openqa" requested_mask="c" denied_mask="c" fsuid=493 ouid=49
Updated by coolo almost 6 years ago
- Subject changed from apparmor denies access to asset cache on o3? to apparmor denies access to asset cache on o3
- Target version set to Current Sprint
- Difficulty set to easy
Updated by mkittler almost 6 years ago
- Assignee set to mkittler
I actually took that into account: https://github.com/os-autoinst/openQA/commit/e273827a88bafe42f773ca22f1305973a3552880#diff-1301a83c168a26018ba7608a50a83e16
Not sure what is missing. The directory it attempts to access seems to match the one I've added to the apparmor profile.
Updated by okurz almost 6 years ago
I can see that the page now works correctly after someone or something restarted/reloaded apparmor on o3. Maybe we can introduce a dependency of the services on the apparmor service so that the apparmor service reloads whenever the other services restart?
Updated by coolo almost 6 years ago
the services don't matter - but apparmor needs to be restarted on deployment. And I'm pretty sure we had code for that in our spec files - that obviously no longer works as apparmor was running since 7 weeks when I looked yesterday.
Transactional reboots to the rescue ;)
Updated by okurz almost 6 years ago
I don't understand "services don't matter - but apparmor needs to be restarted".
There is
%postun
%service_del_postun %{openqa_services}
%restart_on_update boot.apparmor
in
https://github.com/os-autoinst/openQA/blob/master/openQA.spec#L332
I don't know what "boot.apparmor" is, shouldn't it just be "apparmor" instead of "boot.apparmor"?
Updated by coolo almost 6 years ago
"the services don't matter" == "it doesn't matter when our services are restarted". But it does matter when our apparmor profile changes - on deployment.
So the spec file needs to be fixed, boot.apparmor is 12SP2 material - but we're on >SP3 everywhere
Updated by mkittler almost 6 years ago
- Status changed from New to In Progress
Updated by okurz almost 6 years ago
- Status changed from In Progress to Feedback
- Assignee changed from mkittler to okurz
PR merged. Thanks! I will check on next deployment if the service is properly triggered.
Updated by mkittler almost 6 years ago
- Status changed from Feedback to Resolved
- Assignee changed from okurz to mkittler
I've just had a look and it now works.