Apparmor uses rsyslogd profile for different processes - utopic HWE
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Steve Beattie | ||
linux (Ubuntu) |
Confirmed
|
Undecided
|
John Johansen | ||
Trusty |
Confirmed
|
Undecided
|
John Johansen | ||
linux-lts-utopic (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Invalid
|
Undecided
|
Unassigned | ||
rsyslog (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Steve Beattie |
Bug Description
[apparmor impact]
This bug generates false positives when using the apparmor regression
tests on the HWE kernels (utopic and newer), which means the kernel team
needs to examine test output to ensure that addiitional failures didn't
occur when testing new kernels.
[apparmor test case]
1) install hwe kernel libapparmor-dev libdbus-1-dev attr
2) apt-get source apparmor
3) cd apparmor-
4) make USE_SYSTEM=1
5) sudo bash unix_socket_file.sh
If the bug has not been addressed, this test script will fail with the
following messages:
Error: unix_socket_file failed. Test 'socket file (dgram); confined server / access (w)' was expected to 'pass'. Reason for failure 'FAIL CLIENT - connect: Permission denied
FAIL - poll timed out'
Error: unix_socket_file failed. Test 'socket file (dgram); confined client w/ access (rw)' was expected to 'pass'. Reason for failure 'FAIL CLIENT - connect: Permission denied
FAIL - poll timed out'
and a return code of 2 (echo $?). If it has been fixed it should return
silently, with a return code of 0.
[apparmor regression potential]
The patch for this bug only affects the test suite for apparmor, which
is a loosening of the policy used in the specific failing testcases.
There should be no effect on the apparmor implementation proper from
this fix.
[apparmor additional info]
This testsuite is run as part of the test-apparmor.py test script
from lp:qa-regression-testing, and used as part of the kernel update
process, but is useful for ensuring that apparmor is functioning
properly.
[Original description]
I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes:
Feb 25 08:36:19 emma kernel: [ 134.796218] audit: type=1400 audit(142484257
Feb 25 08:36:23 emma kernel: [ 139.330989] audit: type=1400 audit(142484258
Feb 25 08:35:42 emma kernel: [ 97.912402] audit: type=1400 audit(142484254
Feb 25 08:34:43 emma kernel: [ 38.867998] audit: type=1400 audit(142484248
I'm not sure how apparmor decides which profile to use for which task, but is shouldn't load '/usr/sbin/
I'm running:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# dpkg -l | grep apparmor
ii apparmor 2.8.95~
ii apparmor-profiles 2.8.95~
ii apparmor-utils 2.8.95~
ii libapparmor-perl 2.8.95~
ii libapparmor1:amd64 2.8.95~
ii python3-apparmor 2.8.95~
ii python3-libapparmor 2.8.95~
# uname -a
Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Changed in linux (Ubuntu Trusty): | |
status: | Incomplete → Confirmed |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
tags: | added: patch |
description: | updated |
This errors started appearing in the log since Feb 21 when I've rebooted to complete Utopic HWE installation: lts-utopic 3.16.0.31.24 amd64 Complete Generic Linux kernel and headers generic- lts-utopic 3.16.0.31.24 amd64 Generic Linux kernel headers generic- lts-utopic 3.16.0.31.24 amd64 Generic Linux kernel image
# dpkg -l | grep utopic
ii linux-generic-
ii linux-headers-
ii linux-image-