Hello,
we have implemented some rbac features using pam_apparmor. This works great with SLES 11SP1 (apparmor 2.3) but fails with SLES 11SP2 (apparmor 2.5.1).
Looking at /var/log/audit/audit.log, I get the following messages:
type=AVC msg=audit(1337709758.374:328): apparmor=“KILLED” operation=“change_hat” parent=6121 profile="/usr/sbin/sshd//root" pid=6719 comm=“sshd” target="/usr/sbin/sshd//root"
type=AVC msg=audit(1337709781.458:329): apparmor=“DENIED” operation=“change_hat” info=“unconfined” error=-1 pid=6722 comm=“cron”
type=AVC msg=audit(1337709781.458:330): apparmor=“DENIED” operation=“change_hat” info=“unconfined” error=-1 pid=6722 comm=“cron”
…
Some googling tells me the apparmor=“DENIED” messages are superfluous messages that can be ignored.
On the other hand, the apparmor=“KILLED” message has absolutely no match in google (even if I limit the search to that term alone). I noticed an updated kernel (3.0.26-0.7-default), which I installed, but it did not help.
I am about to look at the kernel code itself to get a better idea of what is going on, but I would appreciate if anyone has an idea about it!
ybilodeau,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your issue been resolved? If not, you might try one of the following options:
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your SUSE Forums Team
http://forums.suse.com
This has been resolved
Just so everyone knows what went wrong, it is because starting at SLES 11 SP2 (and OpenSuse 11.4 - I did not test prior versions), the pam_apparmor rpm has a postinstall script that does the following:
pam-config -a --apaprmor
pam-config --update
This has the effect of adding the pam_apparmor.so library in /etc/pam.d/common-session, while I was adding it myself to /etc/pam.d/sshd.
It would appear that pam does not like to load the same library twice.
Removing the lines in common-session fix the problem. I know the usage of pam_apparmor is very limited worldwide, but thanks anyways to everyone who looked at my post and thought about my issue!