[Apparmor-general] Apparmor-general

Sat Jan 19 16:00:27 MST 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Carlos E. R. wrote:
> 
> 
> Hi,
> 
> In the audit log I see this message, repeated several times:
> 
> DENIED msg=audit(1199356965.768:7):  type=1503
> operation="inode_permission" requested_mask="r" denied_mask="mrwiuplk"
> pid=4946 profile="/usr/sbin/nscd"
> 
> This message causes the yast apparmour wizard to crash, with "unknown
> mask mrwiuplk". This has been reported as Bug 349942 to bugzilla, and I
> hope will be solved one of these months :-)

well yes hopefully.  I am sorry to say I am way behind on my bugzilla
but this is a new one to me as it hit someone else.  Sadly it is
multiple bugs in one.  The kernel shouldn't be reporting "mrwiuplk",
and the wizard shouldn't be crashing on unknown input.

The kernel bug causing this has been fixed but I need to submit it so it
can be rolled out for and be made available in an update.

> 
> What I want to ask here is how should I change the "/usr/sbin/nscd"
> profile so that the message doesn't pop (and the permission is granted,
> obviously). As the wizard can't handle it, I don't see how to add that
> permission easily.
> 
Ugh, well I can tell you permission you want is "r", the problem is I
can't tell you what to add.  Notice this audit message is missing a name
component.  That is because the name lookup failed, and the kernel side
portion of the bug was with reporting a failed name lookup.  Either the
pathname was to long, your machine is/was really tight on memory and
couldn't allocate a buffer for the pathname or it was lazily unmounted
in a race window making it impossible to retrieve the path.

I am going to bet it wasn't running out of memory because you would have
seen many other problems if the kernel had run out of memory.

That either leaves the path being to long, the default is 2*PATH_MAX so
about a 2k long path.  From an unconfined root shell you can change the
apparmor maxpath name size to 4K (or any larger value) by doing

echo 4096 > /sys/module/apparmor/parameters/path_max

If this is a reoccuring problem my bet would be its a really long path
other wise you are dealing with something that was lazily unmounted, and
that is feature yet to be implemented.

> 
> On a side question: How do I translate the date-stamp 1199356965.768 to
> some thing intelligible by humans? So that I can correlate the log entry
> to the rest of the system logs.
> 
its unix epoche time and you can use a web site
http://www.epochconverter.com/

which gives
GMT: Thu, 03 Jan 2008 10:42:45 GMT
Your timezone: Thu 03 Jan 2008 02:42:45 AM PST

or some any of the solutions from here (quick google search and there
are even more examples)
http://www.unix.com/shell-programming-scripting/21580-convert-standard-epoch-time-shell-script.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHkoEKi/GH5xuqKCcRAmriAKCRw7M7jStYHiGybBg0JYUmsLJ6UwCgpbrZ
Ca2EuNa6L0i4apj7oxYmxPE=
=qnES
-----END PGP SIGNATURE-----