View Full Version : Problem with pam_apparmor

22-May-2012, 19:15
we have implemented some rbac features using pam_apparmor. This works great with SLES 11SP1 (apparmor 2.3) but fails with SLES 11SP2 (apparmor 2.5.1).

Looking at /var/log/audit/audit.log, I get the following messages:
type=AVC msg=audit(1337709758.374:328): apparmor="KILLED" operation="change_hat" parent=6121 profile="/usr/sbin/sshd//root" pid=6719 comm="sshd" target="/usr/sbin/sshd//root"
type=AVC msg=audit(1337709781.458:329): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=6722 comm="cron"
type=AVC msg=audit(1337709781.458:330): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=6722 comm="cron"

Some googling tells me the apparmor="DENIED" messages are superfluous messages that can be ignored.

On the other hand, the apparmor="KILLED" message has absolutely no match in google (even if I limit the search to that term alone). I noticed an updated kernel (3.0.26-0.7-default), which I installed, but it did not help.

I am about to look at the kernel code itself to get a better idea of what is going on, but I would appreciate if anyone has an idea about it!

Automatic reply
31-May-2012, 13:30

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your SUSE Forums Team

19-Jun-2012, 14:36
This has been resolved

Just so everyone knows what went wrong, it is because starting at SLES 11 SP2 (and OpenSuse 11.4 - I did not test prior versions), the pam_apparmor rpm has a postinstall script that does the following:
pam-config -a --apaprmor
pam-config --update

This has the effect of adding the pam_apparmor.so library in /etc/pam.d/common-session, while I was adding it myself to /etc/pam.d/sshd.

It would appear that pam does not like to load the same library twice.

Removing the lines in common-session fix the problem. I know the usage of pam_apparmor is very limited worldwide, but thanks anyways to everyone who looked at my post and thought about my issue!