[Apparmor-general] problem with profiling sshd under OpenSuSE 10.2

[Seth Arnold]

On Sat, Feb 03, 2007 at 11:18:02PM +0100, ps wrote:
> Hello
> I have recently spent few days playing with AppArmor on my OpenSuSE 10.2
> box. I wanted to create AppArmor profile for my ssh server. I transfered
> usr.sbin.sshd file which is shipped with OpenSuSE 10.2 to /etc/apparmor.d
> I reloaded AppArmor(command: rcapparmor restart) and stated ssh server.
> It seemed OK but when I tried log in I saw some log trails in
> /var/log/audid/audit.log:
> 
> type=APPARMOR msg=audit(1170534772.421:7743): REJECTING access to
> capability 'invalid-capability' (sshd(18736) profile /usr/sbin/sshd
> active /usr/sbin/sshd)
...
> Can anyone explain me what is wrong with this standard profile shipped
> with OpeSuSE 10.2 or is there any bug in AppArmor implementation in the
> newest OpenSuSE;)

Peter, thanks for the report; first, I'd like to note that the profiles
in /etc/apparmor/profiles/extras are of varying quality -- they aren't
turned on by default for a reason :)

That said, you have indeed found a bug in AppArmor in openSUSE 10.2.
Hopefully the next kernel update provided by SUSE for 10.2 will include
the patch for apparmor necessary to properly report the new
capabilities. (The capabilities are CAP_AUDIT_CONTROL and
CAP_AUDIT_WRITE, described in capabilities(7).)

You can _try_ adding "capability audit_control," and "capability
audit_write," to your sshd profile and reload; I have a vague recollection
that we may have had the parser-side support for these new capabilities
in time for 10.2.

(If that doesn't work, then you can try to use our packages provided on
the openSUSE build service; I'll look up the URLs for that tomorrow
morning when I'm on a less annoying connection. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070204/75356123/attachment.pgp