[Apparmor-general] problem with profiling sshd under OpenSuSE 10.2
ps
ps at icpnet.pl
Wed Feb 7 10:19:35 MST 2007
John Johansen wrote:
> On Tue, Feb 06, 2007 at 01:14:41PM +0100, ps wrote:
>> I have read what you wrote and I'm not sure if I understand you
>> corectly. This log trail which I have found in audit.log:
>> "type=APPARMOR msg=audit(1170534772.421:7743): REJECTING access to
>> capability 'invalid-capability' (sshd(18736) profile /usr/sbin/sshd
>> active /usr/sbin/sshd)"
>> meens that there is unknow capability in Opensuse 10.2 kernel?
> Not quite. The capability is known but the apparmor module was missing
> the strings to correctly report the two audit capabilities. So
> cap audit_write and audit_control get reported as 'invalid-capability',
> but the kernel and and the apparmor module enforce them correctly.
>
>> some part of apparmor(parser) is incomplete and don't recognize all
>> available capabilities supported by kernel 2.6.18.2-34-default?
> incomplete yes it can't report them correctly but it does recognize them.
>
>>> Most likely sshd desires the audit_write capability to write an
>>> authentication audit record. audit_control should only be needed by
>>> auditd, auditctl, and possibly other audit tools, if my reading of a
>>> recent capabilities(7) manpage conforms to reality.
>> I tried audit_write capability in sshd profile but it didn't work.
>> I couldn't login(I got: "connection close") and I received in audid.log:
>> "type=APPARMOR msg=audit(1170763864.445:24): REJECTING access to
>> capability 'invalid-capability' (sshd(7773) profile /usr/sbin/sshd
>> active /usr/sbin/sshd)"
>>
>> It meens that adding this capability don't help and is not what sshd
>> wants(?)
>>
> It would seem so, did you try audit_control? sshd shouldn't need
> it but that doesn't stop developers from trying to use it.
Hello John
When I add capability: CAP_AUDIT_CONTROL and restarted apparmor
everything seemed ok. Adding CAP_AUDIT_WRITE didn't work. I received the
log trails the same as before.
>
> There are 2 capabilities that apparmor was missing the strings to
> report correctly. All other capability request should be reported
> correctly.
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Apparmor-general mailing list
> Apparmor-general at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-general
More information about the Apparmor-general
mailing list