Ubuntu

apparmor denials when using 'maas-import-isos'

Reported by Jamie Strandboge on 2012-04-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
maas-provision (Ubuntu)
High
Andres Rodriguez

Bug Description

When running maas-import-isos with the /etc/apparmor.d/usr.bin.cobblerd profile enabled, I observed the following apparmor denials:
Apr 23 09:34:22 maas-precise-server-amd64 kernel: [ 534.632945] type=1400 audit(1335191662.396:22): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/usr/share/python-apt/templates/" pid=21546 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:22 maas-precise-server-amd64 kernel: [ 534.635351] type=1400 audit(1335191662.396:23): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/apt/sources.list" pid=21546 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:22 maas-precise-server-amd64 kernel: [ 534.635949] type=1400 audit(1335191662.396:24): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/apt/sources.list.d/" pid=21546 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:42 maas-precise-server-amd64 kernel: [ 554.961194] type=1400 audit(1335191682.724:25): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/usr/share/python-apt/templates/" pid=21956 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:42 maas-precise-server-amd64 kernel: [ 554.961267] type=1400 audit(1335191682.724:26): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/apt/sources.list" pid=21956 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:42 maas-precise-server-amd64 kernel: [ 554.961788] type=1400 audit(1335191682.724:27): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/apt/sources.list.d/" pid=21956 comm="cobblerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 09:34:44 maas-precise-server-amd64 kernel: [ 556.337334] type=1400 audit(1335191684.100:28): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/ethers" pid=21979 comm="cobblerd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0
Apr 23 10:58:19 maas-precise-server-amd64 kernel: [ 5571.725986] type=1400 audit(1335196699.488:29): apparmor="DENIED" operation="link" parent=1 profile="/usr/bin/cobblerd" name="/var/lib/tftpboot/images/memtest86+_multiboot.bin" pid=22403 comm="cobblerd" requested_mask="wcd" denied_mask="wcd" fsuid=0 ouid=0 target="/boot/memtest86+_multiboot.bin"
Apr 23 10:58:19 maas-precise-server-amd64 kernel: [ 5571.730405] type=1400 audit(1335196699.492:30): apparmor="DENIED" operation="link" parent=1 profile="/usr/bin/cobblerd" name="/var/lib/tftpboot/images/memtest86+.bin" pid=22403 comm="cobblerd" requested_mask="wcd" denied_mask="wcd" fsuid=0 ouid=0 target="/boot/memtest86+.bin"
Apr 23 10:58:19 maas-precise-server-amd64 kernel: [ 5571.851731] type=1400 audit(1335196699.612:31): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/dnsmasq.conf" pid=22403 comm="cobblerd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0
Apr 23 10:58:21 maas-precise-server-amd64 kernel: [ 5573.440222] type=1400 audit(1335196701.204:32): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/ethers" pid=22421 comm="cobblerd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0
Apr 23 10:58:22 maas-precise-server-amd64 kernel: [ 5575.058317] type=1400 audit(1335196702.820:33): apparmor="DENIED" operation="link" parent=1 profile="/usr/bin/cobblerd" name="/var/lib/tftpboot/images/memtest86+_multiboot.bin" pid=22434 comm="cobblerd" requested_mask="wcd" denied_mask="wcd" fsuid=0 ouid=0 target="/boot/memtest86+_multiboot.bin"
Apr 23 10:58:22 maas-precise-server-amd64 kernel: [ 5575.059203] type=1400 audit(1335196702.820:34): apparmor="DENIED" operation="link" parent=1 profile="/usr/bin/cobblerd" name="/var/lib/tftpboot/images/memtest86+.bin" pid=22434 comm="cobblerd" requested_mask="wcd" denied_mask="wcd" fsuid=0 ouid=0 target="/boot/memtest86+.bin"
Apr 23 10:58:22 maas-precise-server-amd64 kernel: [ 5575.161768] type=1400 audit(1335196702.924:35): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/cobblerd" name="/etc/dnsmasq.conf" pid=22434 comm="cobblerd" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0

Jamie Strandboge (jdstrand) wrote :

Here is the failure output from maas-import-isos.

Changed in maas-provision (Ubuntu):
importance: Undecided → High
Changed in maas-provision (Ubuntu):
status: New → In Progress
assignee: nobody → Andres Rodriguez (andreserl)
Changed in maas-provision (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas-provision - 2.2.2-0ubuntu4

---------------
maas-provision (2.2.2-0ubuntu4) precise-proposed; urgency=low

  * Update apparmor profile, fixes denials when running
    maas-import-isos (LP: #987374)
  * 72_ubuntu_copy_boot_nohardlink.patch: Do not hardlink files from /boot/
    only copy them as it might impose a security vulnerability.
 -- Andres Rodriguez <email address hidden> Mon, 23 Apr 2012 16:41:10 -0400

Changed in maas-provision (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers