[Apparmor-general] problem with profiling sshd under OpenSuSE 10.2
John Johansen
jjohansen at suse.de
Tue Feb 6 09:14:34 MST 2007
On Tue, Feb 06, 2007 at 01:14:41PM +0100, ps wrote:
> I have read what you wrote and I'm not sure if I understand you
> corectly. This log trail which I have found in audit.log:
> "type=APPARMOR msg=audit(1170534772.421:7743): REJECTING access to
> capability 'invalid-capability' (sshd(18736) profile /usr/sbin/sshd
> active /usr/sbin/sshd)"
> meens that there is unknow capability in Opensuse 10.2 kernel?
Not quite. The capability is known but the apparmor module was missing
the strings to correctly report the two audit capabilities. So
cap audit_write and audit_control get reported as 'invalid-capability',
but the kernel and and the apparmor module enforce them correctly.
> some part of apparmor(parser) is incomplete and don't recognize all
> available capabilities supported by kernel 2.6.18.2-34-default?
incomplete yes it can't report them correctly but it does recognize them.
>
> > Most likely sshd desires the audit_write capability to write an
> > authentication audit record. audit_control should only be needed by
> > auditd, auditctl, and possibly other audit tools, if my reading of a
> > recent capabilities(7) manpage conforms to reality.
> I tried audit_write capability in sshd profile but it didn't work.
> I couldn't login(I got: "connection close") and I received in audid.log:
> "type=APPARMOR msg=audit(1170763864.445:24): REJECTING access to
> capability 'invalid-capability' (sshd(7773) profile /usr/sbin/sshd
> active /usr/sbin/sshd)"
>
> It meens that adding this capability don't help and is not what sshd
> wants(?)
>
It would seem so, did you try audit_control? sshd shouldn't need
it but that doesn't stop developers from trying to use it.
There are 2 capabilities that apparmor was missing the strings to
report correctly. All other capability request should be reported
correctly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070206/2736f44a/attachment.pgp
More information about the Apparmor-general
mailing list