[Apparmor-general] problem with profiling sshd under OpenSuSE 10.2

ps ps at icpnet.pl
Mon Feb 5 10:25:19 MST 2007 

Seth Arnold wrote:
> On Sat, Feb 03, 2007 at 11:18:02PM +0100, ps wrote:
>> Hello
>> I have recently spent few days playing with AppArmor on my OpenSuSE 10.2
>> box. I wanted to create AppArmor profile for my ssh server. I transfered
>> usr.sbin.sshd file which is shipped with OpenSuSE 10.2 to /etc/apparmor.d
>> I reloaded AppArmor(command: rcapparmor restart) and stated ssh server.
>> It seemed OK but when I tried log in I saw some log trails in
>> /var/log/audid/audit.log:
>>
>> type=APPARMOR msg=audit(1170534772.421:7743): REJECTING access to
>> capability 'invalid-capability' (sshd(18736) profile /usr/sbin/sshd
>> active /usr/sbin/sshd)
> ...
>> Can anyone explain me what is wrong with this standard profile shipped
>> with OpeSuSE 10.2 or is there any bug in AppArmor implementation in the
>> newest OpenSuSE;)
> 
> Peter, thanks for the report; first, I'd like to note that the profiles
> in /etc/apparmor/profiles/extras are of varying quality -- they aren't
> turned on by default for a reason :)
> 
> That said, you have indeed found a bug in AppArmor in openSUSE 10.2.
> Hopefully the next kernel update provided by SUSE for 10.2 will include
> the patch for apparmor necessary to properly report the new
> capabilities. (The capabilities are CAP_AUDIT_CONTROL and
> CAP_AUDIT_WRITE, described in capabilities(7).)
> 
> You can _try_ adding "capability audit_control," and "capability
> audit_write," to your sshd profile and reload; I have a vague recollection
> that we may have had the parser-side support for these new capabilities
> in time for 10.2.
> 
> (If that doesn't work, then you can try to use our packages provided on
> the openSUSE build service; I'll look up the URLs for that tomorrow
> morning when I'm on a less annoying connection. :)
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Apparmor-general mailing list
> Apparmor-general at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-general
Hello Seth
Thanks for your answer. Today late evening I will check your advice.
I will write some notes about results.

Best regards

More information about the Apparmor-general mailing list