PDA

View Full Version : Apparmor genprof throwing error (Can't find rsyslog.d)



nminter
28-Apr-2015, 01:53
As per title AA genprof is throwing the following error:



ip-10-0-0-200:~ # aa-genprof /usr/sbin/sshd

Can't find include file rsyslog.d: No such file or directory


Running strace against this shows that the the folder "/etc/apparmor.d/rsyslog.d" can't be found.



open("/etc/apparmor.d/rsyslog.d", O_RDONLY) = -1 ENOENT (No such file or directory)


This is looking to be missing folders from the AA install, has anyone else experienced this or is anyone able to test this on a local SLES machine?

This is a SLES 12 machine running on AWS.

AA software installed:



S | Name | Summary | Type
--+------------------------------+---------------------------------------------------------------------+-----------
i | apache2-mod_apparmor | AppArmor module for apache2 | package
| apparmor | AppArmor userlevel parser utility | srcpackage
i | apparmor | AppArmor | pattern
i | apparmor-docs | AppArmor Documentation package | package
i | apparmor-parser | AppArmor userlevel parser utility | package
i | apparmor-profiles | AppArmor profiles that are loaded into the apparmor kernel module | package
i | apparmor-utils | AppArmor User-Level Utilities Useful for Creating AppArmor Profiles | package
| libapparmor-devel | Development headers and libraries for libapparmor | package
i | libapparmor1 | Utility library for AppArmor | package
| libapparmor1-32bit | Utility library for AppArmor | package
| pam_apparmor | PAM module for AppArmor change_hat | package
| pam_apparmor-32bit | PAM module for AppArmor change_hat | package
i | patterns-sles-apparmor | AppArmor | package
| patterns-sles-apparmor-32bit | AppArmor | package
i | perl-apparmor | Perl interface for libapparmor functions | package
i | yast2-apparmor | YaST2 - Plugins for AppArmor Profile Management | package

smflood
28-Apr-2015, 11:04
On 28/04/2015 01:54, nminter wrote:

> As per title AA genprof is throwing the following error:
>
>
> Code:
> --------------------
>
> ip-10-0-0-200:~ # aa-genprof /usr/sbin/sshd
>
> Can't find include file rsyslog.d: No such file or directory
>
> --------------------

On my test SLES12 server when I run the above command I get
"/usr/bin/sshd does not exist, please double-check the path."

Perhaps you meant "aa-genprof /usr/sbin/ssh" which then gives the above
rsyslog.d error message?

> Running strace against this shows that the the folder
> "/etc/apparmor.d/rsyslog.d" can't be found.
>
>
> Code:
> --------------------
>
> open("/etc/apparmor.d/rsyslog.d", O_RDONLY) = -1 ENOENT (No such file or directory)
>
> --------------------

On my test SLES12 server /etc/apparmor.d/rsyslog.d doesn't exist but
/etc/apparmor/profiles/extras/rsyslog.d does (as does /etc/rsyslog.d).

> This is looking to be missing folders from the AA install, has anyone
> else experienced this or is anyone able to test this on a local SLES
> machine?
>
> This is a SLES 12 machine running on AWS.
>
> AA software installed:
>
>
> Code:
> --------------------
>
> S | Name | Summary | Type
> --+------------------------------+---------------------------------------------------------------------+-----------
> i | apache2-mod_apparmor | AppArmor module for apache2 | package
> | apparmor | AppArmor userlevel parser utility | srcpackage
> i | apparmor | AppArmor | pattern
> i | apparmor-docs | AppArmor Documentation package | package
> i | apparmor-parser | AppArmor userlevel parser utility | package
> i | apparmor-profiles | AppArmor profiles that are loaded into the apparmor kernel module | package
> i | apparmor-utils | AppArmor User-Level Utilities Useful for Creating AppArmor Profiles | package
> | libapparmor-devel | Development headers and libraries for libapparmor | package
> i | libapparmor1 | Utility library for AppArmor | package
> | libapparmor1-32bit | Utility library for AppArmor | package
> | pam_apparmor | PAM module for AppArmor change_hat | package
> | pam_apparmor-32bit | PAM module for AppArmor change_hat | package
> i | patterns-sles-apparmor | AppArmor | package
> | patterns-sles-apparmor-32bit | AppArmor | package
> i | perl-apparmor | Perl interface for libapparmor functions | package
> i | yast2-apparmor | YaST2 - Plugins for AppArmor Profile Management | package
>
> --------------------

On my test SLES12 server I have the rsyslog package installed which
creates both the directories /etc/apparmor/profiles/extras/rsyslog.d and
/etc/rsyslog.d but not /etc/apparmor.d/rsyslog.d.

Ah it seems there's a problem with
/etc/apparmor/profiles/extras/usr.sbin.rsyslogd which has "#include
<rsyslog.d>" which cause AppArmor to try loading from
/etc/apparmor.d/rsyslog.d. Bug #925512 has already been logged with a
fix in progress.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

nminter
29-Apr-2015, 00:43
On my test SLES12 server when I run the above command I get
"/usr/bin/sshd does not exist, please double-check the path."

Perhaps you meant "aa-genprof /usr/sbin/ssh" which then gives the above
rsyslog.d error message?
[color=blue]


I thought I had put sbin rather than bin in that command?



Ah it seems there's a problem with
/etc/apparmor/profiles/extras/usr.sbin.rsyslogd which has "#include
<rsyslog.d>" which cause AppArmor to try loading from
/etc/apparmor.d/rsyslog.d. Bug #925512 has already been logged with a
fix in progress.


Excellent, hopefully a fix won't be too far of then.

I'm new to SLES, is there a bug tracker where I can keep an eye on the progress of the bugfix?

smflood
29-Apr-2015, 17:18
On 29/04/2015 00:44, nminter wrote:

> I thought I had put sbin rather than bin in that command?

Oops sorry my bad, yes you did and that command also gives me the same
error.

> Excellent, hopefully a fix won't be too far of then.

Hopefully not. I'll update this thread when it's available.

> I'm new to SLES, is there a bug tracker where I can keep an eye on the
> progress of the bugfix?

SUSE's bug tracker is @ bugzilla.suse.com but not all bugs (or all
details of individual bugs) are public and you need to be authorised to
see all/some details.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

nminter
30-Apr-2015, 01:21
Thanks Simon, I found SUSE bugzilla setup after a bit of a search and noted that I couldn't see the details on the bug reference.

Just a waiting game from here then.

nminter
06-May-2015, 04:20
For anyone else that is having this issue in a new system adding a basic profile to /etc/apparmor/usr.sbin.sshd will allow you to use aa-genprof to profile sshd.

Example base profile:



# Last Modified: Wed May 6 12:41:39 2015
#include <tunables/global>

/usr/sbin/sshd {
#include <abstractions/base>

/usr/sbin/sshd mr,

}


This should also work for any other programs complaining about the rsyslogd dependency.