Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with the dbus-system and the issue-generator profiles #558

Closed
MinimusMaximus opened this issue Oct 14, 2024 · 2 comments
Closed

Issues with the dbus-system and the issue-generator profiles #558

MinimusMaximus opened this issue Oct 14, 2024 · 2 comments

Comments

@MinimusMaximus
Copy link

Hi. the dbus-broker.service does not work as expected when the dbus-system profile is in enforce mode, desktop environment crashes, cannot log in to user and root sessions after reboot.

Enforce:
apparmor="DENIED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/inhibit/1.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="DENIED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/sessions/5.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
Complain:
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/inhibit/1.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/inhibit/2.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/inhibit/3.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/sessions/2.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/sessions/1.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/sessions/4.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/sessions/3.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/dri/card1"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/dri/card2"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event7"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event4"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event6"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event5"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event9"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event10"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event11"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event12"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/inhibit/4.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event0"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event1"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event2"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event3"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event13"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event14"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event15"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event16"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event17"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event18"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event19"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event20"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event21"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event22"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event23"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/dev/input/event8"  comm="dbus-broker" requested_mask="wr" denied_mask="wr" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/inhibit/5.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0
apparmor="ALLOWED" operation="file_receive" class="file" profile="dbus-system" name="/run/systemd/inhibit/6.ref"  comm="dbus-broker" requested_mask="w" denied_mask="w" fsuid=498 ouid=0

When the issue-generator profile is in enforce mode, it prevents some post-transaction scripts while system upgrade with zypper dup from working as expected.

Enforce:
apparmor="DENIED" operation="exec" class="file" profile="issue-generator" name="/usr/bin/chmod"  comm="issue-generator" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
apparmor="DENIED" operation="open" class="file" profile="issue-generator" name="/usr/bin/chmod"  comm="issue-generator" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="exec" class="file" profile="issue-generator" name="/usr/bin/mv"  comm="issue-generator" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
apparmor="DENIED" operation="open" class="file" profile="issue-generator" name="/usr/bin/mv"  comm="issue-generator" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" class="file" profile="issue-generator" name="/run/agetty.reload"  comm="issue-generator" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
apparmor="DENIED" operation="open" class="file" profile="issue-generator" name="/run/agetty.reload"  comm="issue-generator" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
apparmor="DENIED" operation="file_inherit" class="file" profile="issue-generator" name="/dev/tty3"  comm="issue-generator" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Complain:
apparmor="ALLOWED" operation="exec" class="file" profile="issue-generator" name="/usr/bin/chmod"  comm="issue-generator" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="issue-generator//null-/usr/bin/chmod"
apparmor="ALLOWED" operation="file_mmap" class="file" profile="issue-generator//null-/usr/bin/chmod" name="/usr/bin/chmod"  comm="chmod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="issue-generator//null-/usr/bin/chmod" name="/usr/lib64/gconv/gconv-modules.cache"  comm="chmod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="getattr" class="file" profile="issue-generator//null-/usr/bin/chmod" name="/usr/lib64/gconv/gconv-modules.cache"  comm="chmod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="getattr" class="file" profile="issue-generator//null-/usr/bin/chmod" name="/run/issue.ih1wYB7ZoA"  comm="chmod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="chmod" class="file" profile="issue-generator//null-/usr/bin/chmod" name="/run/issue.ih1wYB7ZoA"  comm="chmod" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
apparmor="ALLOWED" operation="exec" class="file" profile="issue-generator" name="/usr/bin/mv"  comm="issue-generator" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="issue-generator//null-/usr/bin/mv"
apparmor="ALLOWED" operation="file_mmap" class="file" profile="issue-generator//null-/usr/bin/mv" name="/usr/bin/mv"  comm="mv" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="issue-generator//null-/usr/bin/mv" name="/proc/filesystems"  comm="mv" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="getattr" class="file" profile="issue-generator//null-/usr/bin/mv" name="/proc/filesystems"  comm="mv" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="issue-generator//null-/usr/bin/mv" name="/usr/lib64/gconv/gconv-modules.cache"  comm="mv" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="getattr" class="file" profile="issue-generator//null-/usr/bin/mv" name="/usr/lib64/gconv/gconv-modules.cache"  comm="mv" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="getattr" class="file" profile="issue-generator//null-/usr/bin/mv" name="/run/issue.ih1wYB7ZoA"  comm="mv" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="getattr" class="file" profile="issue-generator//null-/usr/bin/mv" name="/run/issue"  comm="mv" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="ALLOWED" operation="rename_src" class="file" profile="issue-generator//null-/usr/bin/mv" name="/run/issue.ih1wYB7ZoA"  comm="mv" requested_mask="wrd" denied_mask="wrd" fsuid=0 ouid=0
apparmor="ALLOWED" operation="rename_dest" class="file" profile="issue-generator//null-/usr/bin/mv" name="/run/issue"  comm="mv" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
apparmor="ALLOWED" operation="open" class="file" profile="issue-generator" name="/run/agetty.reload"  comm="issue-generator" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
apparmor="ALLOWED" operation="truncate" class="file" profile="issue-generator" name="/run/agetty.reload"  comm="issue-generator" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
apparmor="ALLOWED" operation="file_inherit" class="file" profile="issue-generator" name="/dev/pts/3"  comm="issue-generator" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
@roddhjav roddhjav mentioned this issue Oct 14, 2024
Open
2 tasks
roddhjav added a commit that referenced this issue Oct 14, 2024
@roddhjav
fix(profile): ensure abi3 compatibility with re-attached path.
0dbc42e 
See  #559, #558 #557 #555
@roddhjav
Copy link
Owner

It should be fixed now. Can you confirm on your side? See #559 for the context.

@MinimusMaximus
Copy link
Author

It seems that the issues here and #557 th have been fixed. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@roddhjav @MinimusMaximus