Bug 1077315 - openQA-gru can't be started due to apparmor policy
openQA-gru can't be started due to apparmor policy
Status: RESOLVED WORKSFORME
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: AppArmor
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Oliver Kurz
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-24 01:41 UTC by lakshmi pathi
Modified: 2018-06-15 12:45 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description lakshmi pathi 2018-01-24 01:41:58 UTC
After installation of Tumbleweed (Snapshot20180114) & openQA. openQA-gru process refuses to start after a reboot. From mailing list discussion (titled "Restarting openQA-gru"), its narrowed to apparmor policy. Here is the audit.log while starting openqa-gru via systemctl 

--
type=USER_CMD msg=audit(1516757676.568:130): pid=3529 uid=1000 auid=4294967295 ses=4294967295 msg='cwd="/etc/apparmor.d" cmd=73797374656D63746C207374617274206F70656E71612D677275 terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1516757676.568:131): pid=3529 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1516757676.572:132): pid=3529 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open grantors=pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_END msg=audit(1516757676.748:133): pid=3529 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close grantors=pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=CRED_DISP msg=audit(1516757676.748:134): pid=3529 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=AVC msg=audit(1516757679.344:135): apparmor="DENIED" operation="open" profile="/usr/share/openqa/script/openqa" name="/usr/bin/unzip-plain" pid=3536 comm="openqa" requested_mask="r" denied_mask="r" fsuid=459 ouid=0 <<< Issue here
--
Comment 1 Christian Boltz 2018-01-24 11:50:30 UTC
(In reply to lakshmi pathi from comment #0)
> type=AVC msg=audit(1516757679.344:135): apparmor="DENIED" operation="open"
> profile="/usr/share/openqa/script/openqa" name="/usr/bin/unzip-plain"
> pid=3536 comm="openqa" requested_mask="r" denied_mask="r" fsuid=459 ouid=0

That means you need to add

  /usr/bin/unzip-plain r,

to /etc/apparmor.d/usr.share.openqa.script.openqa (in the main profile), followed by "rcapparmor reload".

However, I'm surprised that only read permissions are requested - I wouldn't be surprised if you get a follow-up denial for execute ;-)

Guessing even more, I wouldn't be surprised if openQA is actually looking for /usr/bin/unzip which is nowadays a symlink managed by update-alternatives, so it might make sense to also allow the other unzip flavors.

The openQA profiles are shipped in the openQA package, therefore I'm reassigning to one of the openQA maintainers. I'll still keep an eye on this bugreport ;-)
Comment 2 lakshmi pathi 2018-01-27 03:15:47 UTC
> That means you need to add
> 
>   /usr/bin/unzip-plain r,
> 
> to /etc/apparmor.d/usr.share.openqa.script.openqa (in the main profile),
> followed by "rcapparmor reload".
> 
As you suggested, modification to /etc/apparmor.d/usr.share.openqa.script.openqa  does the trick.

So far, openqa-gru/openqa-webui both seem to be happy with 'r' for unzip-plain. Will explore bit more and update the bug if I  encounter further issues.
Comment 3 Oliver Kurz 2018-06-15 12:45:21 UTC
no further comment was received, I guess it's fine by now. Since then we have updated the apparmor profiles within openQA itself and they seem to be fine in general.