Ubuntu
apparmor package

apparmor with klogd in enforce mode, causes kdm to fail during initial launch on Hardy Heron

Bug #173709 reported by Roderick B. Greening
2
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

Binary package hint: apparmor

Upon upgrading to Hardy Heron via "sudo adept_manager --dist-upgrade-devel", I found that KDM would fail to launch when in Runlevel 2 (KDM should automatically start in this level).

If I login and issue "sudo /etc/init.d/kdm start", then KDM launches successfully.

The last app/service to start just prior to this was klogd. I noticed that with the Hardy Heron update, klogd was in enforce mode under apparmor, and provided a complaint in the log as follows:

[ 26.284000] audit(1196704494.632:3): type=1502 operation="inode_permission" requested_mask="r" denied_mask="r" name="/proc/kallsyms" pid=5088 profile="/sbin/klogd"

So, it would appear that apparmor and klogd had somehow prevent KDM from launching during boot (not sure if additional services would be impacted if launched after klogd, other than KDM, which was easy to identify.

To resolve the issue, I have temporarily placed klogd into complain mode, and rebooted. KDM now launches correctly.

Two points:

1) apparmor wrappers like this shouldn't cause KDM to fail (IMHO). How can this be addressed so as to allow KDM to at least launch when an app is in complain mode (like klogd). KDM is a must under Kubuntu.

2) What is the correct fix to apparmor/klogd based on my error message below? I know that bumping back to complain mode does nothing for security, but it got me up again. I'd like a permanent/proper fix.

Thanks.

Revision history for this message
Roderick B. Greening (roderick-greening) wrote :

Actually, it causes any service after klogd to fail. This could be very problematic. In may case, avahi failed to start also, along with a couple of other services.

Revision history for this message
John Johansen (jjohansen) wrote :

You can either manually edit the klogd profile or use the profiling tool logprof.

> logprof /sbin/klogd

logprof should scan your log file and find the reject and then ask to add "r" permission for /proc/kallsyms, saying
yes will allow this and then you can save and place the profile in enforce mode.

Alternately if you hand edit the profile it is "/etc/apparmor.d/sbin.klogd", you will need to add the following rule
  /proc/kallsyms r,

I am unsure why AppArmor stopping klogd from accessing /proc/kallsyms would cause KDM or other services to fail unless they are dependent on klogd. I am not very familiar with upstart so I can't say if this is the case at the moment. I will look into it and see what I can find.

Revision history for this message
Roderick B. Greening (roderick-greening) wrote : Re: [Bug 173709] Re: apparmor with klogd in enforce mode, causes kdm to fail during initial launch on Hardy Heron

Thanks.

Much appreciated.

On 12/5/07, John Johansen <email address hidden> wrote:
> You can either manually edit the klogd profile or use the profiling tool
> logprof.
>
> > logprof /sbin/klogd
>
> logprof should scan your log file and find the reject and then ask to add
> "r" permission for /proc/kallsyms, saying
> yes will allow this and then you can save and place the profile in enforce
> mode.
>
> Alternately if you hand edit the profile it is "/etc/apparmor.d/sbin.klogd",
> you will need to add the following rule
> /proc/kallsyms r,
>
>
> I am unsure why AppArmor stopping klogd from accessing /proc/kallsyms would
> cause KDM or other services to fail unless they are dependent on klogd. I
> am not very familiar with upstart so I can't say if this is the case at the
> moment. I will look into it and see what I can find.
>
> --
> apparmor with klogd in enforce mode, causes kdm to fail during initial
> launch on Hardy Heron
> https://bugs.launchpad.net/bugs/173709
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Kees Cook (kees) wrote :

This was fixed in Hardy. Thanks for the report!

Changed in apparmor:
assignee: nobody → keescook
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.