Bug 1076003 - aa-logprof fails with "ERROR: Passed unknown signal keyword to SignalRule: rtmin+265750032"
aa-logprof fails with "ERROR: Passed unknown signal keyword to SignalRule: rt...
Status: RESOLVED DUPLICATE of bug 1070133
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: AppArmor
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Christian Boltz
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-15 14:36 UTC by Marvin FourtyTwo
Modified: 2018-01-16 16:09 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marvin FourtyTwo 2018-01-15 14:36:35 UTC
grepping in audit.log reveals several of these entries: 

type=AVC msg=audit(1511362208.618:141): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=14044 comm="libvirtd" requested_mask="send" denied_mask="send" signal=rtmin+265750032 peer="unconfined"

I wonder if this really needs to be a fatal error.
Comment 1 Christian Boltz 2018-01-15 16:10:11 UTC
The valid range is rtmin+0..rtmin+32, so rtmin+265750032 is clearly an error.

Do you see this with the latest Tumbleweed, or do you run a slightly outdated version? Which kernel version?

FYI: This sounds like an issue with the early 4.14.x kernels (with x <= 1 IIRC), but should be fixed in the meantime. (See for example bug 1070133.)
Comment 2 Marvin FourtyTwo 2018-01-16 09:02:05 UTC
This distro is updated (and rebooted) on a daily basis. But using your hints, I found the wrong entries in audit.log are indeed from end of November (unixtime: 1511362208), so this seems to be an old (maybe fixed) problem.

I guess that just manual deleting these entries should fix it - right?
Comment 3 Christian Boltz 2018-01-16 16:09:00 UTC
Thanks for checking the details and especially the timestamp.

You are right, options are
- remove the problematic entries from the log manually (+ rcauditd restart)
- remove those entries with grep and run aa-logprof with the resulting file:
  grep -v 'rtmin.[0-9][0-9][0-9]' audit.log > audit.log.clean ; 
  aa-logprof -f audit.log.clean
- grep away the problematic entries on the fly:
  aa-logprof -f <( grep -v 'rtmin.[0-9][0-9][0-9]' audit.log )
- rotate audit.log away (to audit.log-$DATE):
  old audit.log ; rcauditd restart

Closing as duplicate - but feel free to reopen if you see this again after cleaning up the log.

*** This bug has been marked as a duplicate of bug 1070133 ***