[Apparmor-general] problem with profiling sshd under OpenSuSE 10.2

ps ps at icpnet.pl
Tue Feb 6 05:14:41 MST 2007 

Steve Beattie wrote:
> On Mon, Feb 05, 2007 at 02:32:56PM -0800, Seth Arnold wrote:
>> On Sun, Feb 04, 2007 at 09:06:10PM -0800, Seth Arnold wrote:
>>> (If that doesn't work, then you can try to use our packages provided on
>>> the openSUSE build service; I'll look up the URLs for that tomorrow
>>> morning when I'm on a less annoying connection. :)
>> http://software.opensuse.org/download/home:/steve-beattie/openSUSE-10.2/home:steve-beattie.repo
>>
>> This provides 'factory'-ish packages rebuild on older distributions; we
>> have our apache module, the parser, libapparmor, pam_apparmor, docs,
>> profiles, utilities, and the yast interface, all packaged here.
> 
> The apparmor packages in openSUSE's buildservice above come close to
> tracking the head of our svn tree; it's not automated, but I do try to
> push updates frequently. Eventually, I'm hoping to have the project move
> to something like Security/AppArmor_svn (instead of home:/steve-beattie).
> 
> (I also think it'd be handy to have an apparmor KMP package for the
> module, to ease testing new features and bugfixes.)
> 
>> You can _try_ kernels from the Kernel of the Day:
>> ftp://ftp.suse.com/pub/projects/kernel/kotd/sle10-sp-i386/SLES10_SP1_BRANCH
>>
>> (I -think- that only the SLE 10 SP1 beta kernels have the capabilities,
>> but perhaps I've missed the checkin notice for our 10.3 kernel branch.)
> 
> Note that the kernel update is only needed to get correct _reporting_ of
> the capability; if the parser is updated to support the new capabilities,
> kernels+modules from 2.6.11ish will support _mediating_ the audit_write
> and audit_control capabilities.
> 
Hello Steve
I have read what you wrote and I'm not sure if I understand you
corectly. This log trail which I have found in audit.log:
"type=APPARMOR msg=audit(1170534772.421:7743): REJECTING access to
capability 'invalid-capability' (sshd(18736) profile /usr/sbin/sshd
active /usr/sbin/sshd)"
meens that there is unknow capability in Opensuse 10.2 kernel?
On my linux box:
"pacer:/etc/apparmor.d # uname -a
Linux pacer 2.6.18.2-34-default #1 SMP Mon Nov 27 11:46:27 UTC 2006 i686
i686 i386 GNU/Linux"

or

some part of apparmor(parser) is incomplete and don't recognize all
available capabilities supported by kernel 2.6.18.2-34-default?


> Most likely sshd desires the audit_write capability to write an
> authentication audit record. audit_control should only be needed by
> auditd, auditctl, and possibly other audit tools, if my reading of a
> recent capabilities(7) manpage conforms to reality.
I tried audit_write capability in sshd profile but it didn't work.
I couldn't login(I got: "connection close") and I received in audid.log:
"type=APPARMOR msg=audit(1170763864.445:24): REJECTING access to
capability 'invalid-capability' (sshd(7773) profile /usr/sbin/sshd
active /usr/sbin/sshd)"

It meens that adding this capability don't help and is not what sshd
wants(?)

Thanks for your explaination:)

> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Apparmor-general mailing list
> Apparmor-general at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-general

More information about the Apparmor-general mailing list