Proper permissions not set for directory '/etc/apparmor.d/ ' at install/upgrade time
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Jagatguru Prasad Mishra |
Bug Description
Brief Description
-----------------
While updating apparor profiles using aa-logprof, permission denied is thrown error as follows:
[sysadmin@
Reading log entries from /dev/fd/63.
Updating AppArmor profiles in /etc/apparmor.d.
......
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.
An unexpected error occoured!
Severity
--------
Minor
Steps to Reproduce
------------------
1. use apparmor_parser to load an empty profile (deny everything) in complain mode
a. #include <tunables/global>
profile nginx-profile flags=(
#include <abstractions/base>
}
2. Attach the profile to the pod and perform the desired operations
3. use aa-logprof to update the profile.
Expected Behavior
------------------
User should be able to save the updated profile in /etc/apparmor.d directory
Actual Behavior
----------------
permission denied error as follows after running aa-logprof
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.
An unexpected error occoured!
Reproducibility
---------------
100%
System Configuration
-------
NA
Branch/Pull Time/Commit
-------
NA
Last Pass
---------
NA
Timestamp/Logs
--------------
///////
[sysadmin@
Reading log entries from /dev/fd/63.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: nginx-profile
Execute: /usr/bin/find
Severity: 5
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
Complain-mode changes:
Profile: nginx-profile
Path: /docker-
New Mode: owner r
Severity: unknown
[1 - owner /docker-
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
Adding owner /docker-
Enforce-mode changes:
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - nginx-profile]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
Writing updated profile for nginx-profile.
Traceback (most recent call last):
File "/usr/sbin/
apparmor.
File "/usr/lib/
save_profiles()
File "/usr/lib/
write_
File "/usr/lib/
write_
File "/usr/lib/
newprof = tempfile.
File "/usr/lib/
(fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type)
File "/usr/lib/
fd = _os.open(file, flags, 0o600)
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.
An unexpected error occoured!
For details, see /tmp/apparmor-
Please consider reporting a bug at https:/
and attach this file.
/////////////////
Test Activity
-------------
NA
Workaround
----------
user should run below command befor executing aa-logprof.
sudo setfacl -m g:sys_protected:rwx /etc/apparmor.d/
Changed in starlingx: | |
assignee: | nobody → Jagatguru Prasad Mishra (jmishra) |
Changed in starlingx: | |
status: | In Progress → Fix Released |
Fixed By: /review. opendev. org/c/starlingx /stx-puppet/ +/888022 /review. opendev. org/c/starlingx /stx-puppet/ +/889841
https:/
https:/