StarlingX

Proper permissions not set for directory '/etc/apparmor.d/ ' at install/upgrade time

Bug #2026666 reported by Jagatguru Prasad Mishra
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Jagatguru Prasad Mishra

Bug Description

Brief Description
-----------------
While updating apparor profiles using aa-logprof, permission denied is thrown error as follows:
[sysadmin@controller-0 apparmor.d(keystone_admin)]$ aa-logprof -f <(sed 's/kernel: notice/kernel:/' < /var/log/kern.log)
Reading log entries from /dev/fd/63.
Updating AppArmor profiles in /etc/apparmor.d.
......
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/tmp8j1fe3nv~'
An unexpected error occoured!

Severity
--------
Minor

Steps to Reproduce
------------------
1. use apparmor_parser to load an empty profile (deny everything) in complain mode
a. #include <tunables/global>

        profile nginx-profile flags=(attach_disconnected, complain) {
         #include <abstractions/base>

        }
2. Attach the profile to the pod and perform the desired operations
3. use aa-logprof to update the profile.

Expected Behavior
------------------
User should be able to save the updated profile in /etc/apparmor.d directory

Actual Behavior
----------------
permission denied error as follows after running aa-logprof
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/tmp8j1fe3nv~'
An unexpected error occoured!

Reproducibility
---------------
100%

System Configuration
--------------------
NA

Branch/Pull Time/Commit
-----------------------
NA

Last Pass
---------
NA

Timestamp/Logs
--------------
////////////////////////
[sysadmin@controller-0 apparmor.d(keystone_admin)]$ aa-logprof -f <(sed 's/kernel: notice/kernel:/' < /var/log/kern.log)
Reading log entries from /dev/fd/63.
Updating AppArmor profiles in /etc/apparmor.d.

Profile: nginx-profile
Execute: /usr/bin/find
Severity: 5

(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
Complain-mode changes:

Profile: nginx-profile
Path: /docker-entrypoint.sh
New Mode: owner r
Severity: unknown

 [1 - owner /docker-entrypoint.sh r,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
Adding owner /docker-entrypoint.sh r, to profile.
Enforce-mode changes:

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - nginx-profile]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
Writing updated profile for nginx-profile.
Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 50, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1836, in do_logprof_pass
    save_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1908, in save_profiles
    write_profile_ui_feedback(profile_name)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2970, in write_profile_ui_feedback
    write_profile(profile, is_attachment)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2981, in write_profile
    newprof = tempfile.NamedTemporaryFile('w', suffix='~', delete=False, dir=profile_dir)
  File "/usr/lib/python3.9/tempfile.py", line 680, in NamedTemporaryFile
    (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type)
  File "/usr/lib/python3.9/tempfile.py", line 390, in _mkstemp_inner
    fd = _os.open(file, flags, 0o600)
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/tmp8j1fe3nv~'

An unexpected error occoured!

For details, see /tmp/apparmor-bugreport-y_xinc21.txt
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
/////////////////

Test Activity
-------------
NA

Workaround
----------
user should run below command befor executing aa-logprof.
sudo setfacl -m g:sys_protected:rwx /etc/apparmor.d/

Jagatguru Prasad Mishra (jmishra)
Changed in starlingx:
assignee: nobody → Jagatguru Prasad Mishra (jmishra)
Revision history for this message
Ghada Khalil (gkhalil) wrote (last edit ):

Fixed By:
https://review.opendev.org/c/starlingx/stx-puppet/+/888022
https://review.opendev.org/c/starlingx/stx-puppet/+/889841

Changed in starlingx:
importance: Undecided → Low
status: New → In Progress
tags: added: stx.9.0 stx.config
tags: added: stx.security
Ghada Khalil (gkhalil)
Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.