Problem with pam_apparmor

we have implemented some rbac features using pam_apparmor. This works great with SLES 11SP1 (apparmor 2.3) but fails with SLES 11SP2 (apparmor 2.5.1).

Looking at /var/log/audit/audit.log, I get the following messages:
type=AVC msg=audit(1337709758.374:328): apparmor=“KILLED” operation=“change_hat” parent=6121 profile="/usr/sbin/sshd//root" pid=6719 comm=“sshd” target="/usr/sbin/sshd//root"
type=AVC msg=audit(1337709781.458:329): apparmor=“DENIED” operation=“change_hat” info=“unconfined” error=-1 pid=6722 comm=“cron”
type=AVC msg=audit(1337709781.458:330): apparmor=“DENIED” operation=“change_hat” info=“unconfined” error=-1 pid=6722 comm=“cron”

Some googling tells me the apparmor=“DENIED” messages are superfluous messages that can be ignored.

On the other hand, the apparmor=“KILLED” message has absolutely no match in google (even if I limit the search to that term alone). I noticed an updated kernel (3.0.26-0.7-default), which I installed, but it did not help.

I am about to look at the kernel code itself to get a better idea of what is going on, but I would appreciate if anyone has an idea about it!


It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

Be sure to read the forum FAQ about what to expect in the way of responses:

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your SUSE Forums Team

This has been resolved

Just so everyone knows what went wrong, it is because starting at SLES 11 SP2 (and OpenSuse 11.4 - I did not test prior versions), the pam_apparmor rpm has a postinstall script that does the following:
pam-config -a --apaprmor
pam-config --update

This has the effect of adding the library in /etc/pam.d/common-session, while I was adding it myself to /etc/pam.d/sshd.

It would appear that pam does not like to load the same library twice.

Removing the lines in common-session fix the problem. I know the usage of pam_apparmor is very limited worldwide, but thanks anyways to everyone who looked at my post and thought about my issue!