Ubuntu
apparmor package

apparmor-profiles: nscd profile spams my logs

Bug #144383 reported by Laurent Bonnaud
6
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Package: apparmor-profiles
Version: 2.1+993-0ubuntu1

Hi,

running nscd generates many error messages such as these :

Sep 24 09:32:58 localhost kernel: [ 1513.888000] audit(1190619178.419:2220): type=1502 operation="file_mmap" requested_mask="mr" denied_mask="m" name="/etc/passwd" pid=5088 profile="/usr/sbin/nscd"
Sep 24 09:32:58 localhost kernel: [ 1513.888000] audit(1190619178.419:2221): type=1504 operation="ptrace" task=5045 parent=5088 pid=5088 profile="/usr/sbin/nscd"

To give you an idea of the problem, here is the number of messages I got just a few days after upgrading to gutsy:

# zgrep /usr/sbin/nscd /var/log/* | wc -l
182560

Mathias Gug (mathiaz)
Changed in apparmor:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Kees Cook (kees) wrote :

apparmor (2.1+993-0ubuntu2) gutsy; urgency=low

  [ Mathias Gug ]
  * debian/control: Set maintainer to Ubuntu Core Developers.
  * utils/SubDomain.pm, utils/logprog.conf: refactor readprofiledir() to not
    fail on non-existing profile directory. Fixes LP: #141128.
  * debian/rules: don't compress profiles in doc/extras/.
  * utils/SubDomain.pm: Fix regex so that aa-logprof can find audit messages
    in syslog files. Fixes LP: #140508.
  * Update usr.sbin.nscd profile. Fixes LP: #144383.

  [ Kees Cook ]
  * abstractions/gnupg: drop bad attempt at general-purpose client rule.
  * abstractions/fonts: adjust for new syntax, add more local fonts paths.
  * abstractions/nameservice: add mmap permission to some /etc files.

 -- Kees Cook <email address hidden> Tue, 25 Sep 2007 10:23:29 -0700

Changed in apparmor:
status: Triaged → Fix Released
Revision history for this message
Laurent Bonnaud (laurent-bonnaud) wrote :

I am reopening this bug since after I upgraded to apparmor 2.1+993-0ubuntu2 only part of the problem is fixed:

 - the operation="file_mmap" messages do not appear any longer
 - the operation="ptrace" messages are still there:

[13738.636128] audit(1190992825.243:5): type=1504 operation="ptrace" task=10131 parent=10133 pid=10133 profile="/usr/sbin/nscd"
[13738.636143] audit(1190992825.243:6): type=1504 operation="ptrace" task=10131 parent=10133 pid=10133 profile="/usr/sbin/nscd"

and many more (105 messages).

Changed in apparmor:
status: Fix Released → Confirmed
Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 144383] Re: apparmor-profiles: nscd profile spams my logs

On Fri, Sep 28, 2007 at 03:39:24PM -0000, Laurent Bonnaud wrote:
> - the operation="ptrace" messages are still there:
>
> [13738.636128] audit(1190992825.243:5): type=1504 operation="ptrace" task=10131 parent=10133 pid=10133 profile="/usr/sbin/nscd"

Correct. The message type is 1504, which is an AppArmor Hint message.
It's used by the log parser tools to generate profiles. As the profile
is in complain mode, it's supposed to generate that kind of message so
that a proper profile can be generated from the log messages.

Turning the profile into enforce mode may fix the messages.

 status triaged

--
Mathias

Changed in apparmor:
status: Confirmed → Triaged
Revision history for this message
John Johansen (jjohansen) wrote :

Mathias is correct, the hint messages are only emitted when a profile is in learning mode. Setting the profile to enforce mode will stop the hint messages.

Revision history for this message
Daniel Pittman (daniel-rimspace) wrote :

G'day. I subscribed to this bug because I have the same issue, and was hoping that a bit more light could be shed on this:

First, I installed apparmor-profiles as defualt from upstream and have made no configuration changes to any of the apparmor packages. I certainly didn't do anything to set the profile into "learning" or "enforcing" mode.

So, I have no idea what I should be doing now. Apparmor is installed by default and I have no idea how to set enforcing mode or if, as I suspect, someone should actually be using this hint to allow the ptrace activity -- it certainly seems to originate from the normal operation of nscd...

As a reasonably skilled systems admin who is not familiar with apparmor, what should I actually *do* about this situation?

Regards,
        Daniel

Revision history for this message
Kees Cook (kees) wrote :

Beyond uninstalling the apparmor-profiles package, there are two options to fix this, either set it to enforcing:

 sudo aa-enforce nscd

or, remove the profile:

 sudo rm /etc/apparmor.d/*.nscd
 sudo /etc/init.d/apparmor reload

Revision history for this message
Daniel Pittman (daniel-rimspace) wrote :

G'day Kees.

> Beyond uninstalling the apparmor-profiles package, there are two
> options to fix this, either set it to enforcing:
>
> sudo aa-enforce nscd
>
> or, remove the profile:
>
> sudo rm /etc/apparmor.d/*.nscd
> sudo /etc/init.d/apparmor reload

Great. Thank you.

Is it appropriate to do that for all future instances, or should I
report them into Launchpad first?

(In other words: are they interesting to the Ubuntu apparmor folks?)

Regards,
        Daniel

Revision history for this message
Kees Cook (kees) wrote :

Yes, please. In the process of improving the various profiles, we'd like to get feedback from any that misbehave. :)

Revision history for this message
Christian Holtje (docwhat) wrote :

Okay, I set this to aa-enforce and now I get these:

Aug 5 12:43:26 gerf kernel: [46914.231242] audit(1217954606.627:182785): type=1503 operation="inode_permission" requested_mask="rw::" denied_mask="rw::" name="/var/cache/nscd/passwd" pid=28046 profile="/usr/sbin/nscd" namespace="default"

Revision history for this message
Christian Holtje (docwhat) wrote :

To fix this, I modified /etc/apparmor.d/usr.sbin.nscd adding this line:
  /var/cache/nscd/{passwd,group,services,hosts} mrw,

above the /var/db/... line.

I then did:
/etc/init.d/apparmor reload
/etc/init.d/nscd restart

Ciao!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu3

---------------
apparmor (2.3+1289-0ubuntu3) intrepid; urgency=low

  * add locking permission to /var/log/wtmp abstraction, thanks to
    Martin Pitt (LP: #253328).
  * utils/logprof.conf: repository updated for Intrepid (LP: #258818).
  * profiles/apparmor.d/usr.sbin.nscd: added cache directory (LP: #144383).
  * parser/rc.apparmor.functions: redirect stderr (LP: #244013).
  * parser/Makefile: blacklist "AF_ISDN".

 -- Kees Cook <email address hidden> Wed, 30 Jul 2008 09:29:03 -0700

Changed in apparmor:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.