Problem with pam_apparmor

ybilodeau · May 22, 2012, 9:15pm

Hello,
we have implemented some rbac features using pam_apparmor. This works great with SLES 11SP1 (apparmor 2.3) but fails with SLES 11SP2 (apparmor 2.5.1).

Looking at /var/log/audit/audit.log, I get the following messages:
type=AVC msg=audit(1337709758.374:328): apparmor=“KILLED” operation=“change_hat” parent=6121 profile="/usr/sbin/sshd//root" pid=6719 comm=“sshd” target="/usr/sbin/sshd//root"
type=AVC msg=audit(1337709781.458:329): apparmor=“DENIED” operation=“change_hat” info=“unconfined” error=-1 pid=6722 comm=“cron”
type=AVC msg=audit(1337709781.458:330): apparmor=“DENIED” operation=“change_hat” info=“unconfined” error=-1 pid=6722 comm=“cron”
…

Some googling tells me the apparmor=“DENIED” messages are superfluous messages that can be ignored.

On the other hand, the apparmor=“KILLED” message has absolutely no match in google (even if I limit the search to that term alone). I noticed an updated kernel (3.0.26-0.7-default), which I installed, but it did not help.

I am about to look at the kernel code itself to get a better idea of what is going on, but I would appreciate if anyone has an idea about it!

system · May 31, 2012, 3:30pm

ybilodeau,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your SUSE Forums Team
http://forums.suse.com

ybilodeau · June 19, 2012, 4:36pm

This has been resolved

Just so everyone knows what went wrong, it is because starting at SLES 11 SP2 (and OpenSuse 11.4 - I did not test prior versions), the pam_apparmor rpm has a postinstall script that does the following:
pam-config -a --apaprmor
pam-config --update

This has the effect of adding the pam_apparmor.so library in /etc/pam.d/common-session, while I was adding it myself to /etc/pam.d/sshd.

It would appear that pam does not like to load the same library twice.

Removing the lines in common-session fix the problem. I know the usage of pam_apparmor is very limited worldwide, but thanks anyways to everyone who looked at my post and thought about my issue!

Topic		Replies	Views
Can I verify if AppArmor is really disabled? SLES Configure-Administer	1	200	June 12, 2014
SLES 10 SP4: Apache, AppArmor and virtual hosts SLES Configure-Administer	1	219	April 28, 2017
aa-eventd not working correctly SLES Configure-Administer	0	173	June 20, 2013
rsh/rlogin PAM issue after upgrading to SLES 11 SP3 SLES Configure-Administer	3	211	April 29, 2015
SLES10 syslog-ng and audit.log. SLES Configure-Administer	2	246	August 18, 2016

Problem with pam_apparmor

Related Topics