Project

General

Profile

Actions
Copy link

action #45920

closed

[sle][security] aa_enforce: apparmor 2.13.2 introduced nscd as profile name

Added by dimstar over 5 years ago. Updated about 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
llzhao
Category:
Bugs in existing tests
Target version:
-
Start date:
2019-01-10
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

Observation

openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor@64bit fails in
aa_enforce

Reproducible

Fails since (at least) Build 20181231

Expected result

Last good: 20181224 (or more recent)

Further details

Always latest result in this scenario: latest

We no longer have a profile for /usr/sbin/nscd, due to this diff in the profile definition:

--- /etc/apparmor.d/usr.sbin.nscd 2018-12-19 23:10:32.000000000 +0100
+++ usr.sbin.nscd 2019-01-08 20:02:54.000000000 +0100
@@ -10,7 +10,7 @@
# ------------------------------------------------------------------

#include
-/usr/sbin/nscd {
+profile nscd /usr/{bin,sbin}/nscd {
#include
#include
#include

Since this is now a named profile, it is listed with the name, not with the path of the binary it guards (as it matches two binaries now)

This needs to be reflected in the way we test here

Actions
Copy link
 #1

Updated by dimstar over 5 years ago 

--- /etc/apparmor.d/usr.sbin.nscd   2018-12-19 23:10:32.000000000 +0100
+++ usr.sbin.nscd   2019-01-08 20:02:54.000000000 +0100
@@ -10,7 +10,7 @@
 # ------------------------------------------------------------------

 #include <tunables/global>
-/usr/sbin/nscd {
+profile nscd /usr/{bin,sbin}/nscd {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>

The diff, hopefully better readable

Actions
Copy link
 #2

Updated by cboltz over 5 years ago

See https://bugzilla.opensuse.org/show_bug.cgi?id=1120472#c14 for the fix (untested, but I'm quite sure it will work ;-)

Actions
Copy link
 #3

Updated by agraul over 5 years ago

  • Subject changed from aa_enforce: apparmor 2.13.2 introduced nscd as profile name to [sle][security] aa_enforce: apparmor 2.13.2 introduced nscd as profile name
Actions
Copy link
 #4

Updated by llzhao about 4 years ago

  • Status changed from New to Rejected
  • Assignee set to llzhao

Sorry, did not noticed this poo.
Assigned this poo to me and "reject" it as there is no this issue now.

It might be duplicated with this one "poo#45980 - [sle][security][sle15sp1] apparmor aa_autodep & aa_genprof tests need doing cleanup "

Actions
Copy link

Also available in: Atom PDF