Re: [Touch-packages] [Bug 1865450] [NEW] PermissionError for AppArmor Profiles i.e., SSH

2020-03-02 Thread Seth Arnold 
On Mon, Mar 02, 2020 at 09:15:56AM -, Shaheena Kazi wrote:
> Public bug reported:
> 
> I have created an AppArmor profile for SSH.

ssh server or ssh client?

What profile transitions did you put into your profile?

> The profile is created successfully but each time I run aa-logprof it gives 
> PermissionError: [Errno 13] 
> PermissionError: [Errno 13] Permission denied: 
> '/etc/apparmor.d/usr.sbin.tcpdumpwvx1h0xl~' -> 
> '/etc/apparmor.d/usr.sbin.tcpdump'

Do you get an apparmor DENIED entry in your log for this?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1865450

Title:
  PermissionError for AppArmor Profiles i.e., SSH

Status in apparmor package in Ubuntu:
  New

Bug description:
  I have created an AppArmor profile for SSH.
  The profile is created successfully but each time I run aa-logprof it gives 
PermissionError: [Errno 13] 

  
  An example of the error: 
  Traceback (most recent call last):
File "/usr/sbin/aa-enforce", line 35, in 
  tool.cmd_enforce()
File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 150, in 
cmd_enforce
  apparmor.set_enforce(profile, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 293, in 
set_enforce
  change_profile_flags(filename, program, 'complain', False)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 704, in 
change_profile_flags
  set_profile_flags(filename, program, newflags)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 753, in 
set_profile_flags
  os.rename(temp_file.name, prof_filename)
  PermissionError: [Errno 13] Permission denied: 
'/etc/apparmor.d/usr.sbin.tcpdumpwvx1h0xl~' -> 
'/etc/apparmor.d/usr.sbin.tcpdump'
  
  Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
  and attach this file.

  
+++
  Traceback (most recent call last):
File "/usr/sbin/aa-logprof", line 50, in 
  apparmor.do_logprof_pass(logmark)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1824, in 
do_logprof_pass
  save_profiles()
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1921, in 
save_profiles
  write_profile_ui_feedback(profile_name)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3404, in 
write_profile_ui_feedback
  write_profile(profile)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3413, in 
write_profile
  newprof = tempfile.NamedTemporaryFile('w', suffix='~', delete=False, 
dir=profile_dir)
File "/usr/lib/python3.5/tempfile.py", line 688, in NamedTemporaryFile
  (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type)
File "/usr/lib/python3.5/tempfile.py", line 399, in _mkstemp_inner
  fd = _os.open(file, flags, 0o600)
  PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/tmpujtge2jq~'

  
  An unexpected error occurred!

  For details, see /tmp/apparmor-bug report-5qnjyx3t.txt
  Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
  and attach this file.
  
+++

  
+++
  root@protegrity-framework314:/var/www# aa-complain /etc/apparmor.d/*
  Profile for /etc/apparmor.d/abstractions not found, skipping
  Profile for /etc/apparmor.d/apache2.d not found, skipping
  Setting /etc/apparmor.d/bin.ping to complain mode.
  Profile for /etc/apparmor.d/cache not found, skipping
  Profile for /etc/apparmor.d/disable not found, skipping
  Setting /etc/apparmor.d/etc.opt.Cluster.cluster_config.status.xml to complain 
mode.
  Setting /etc/apparmor.d/etc.opt.Cluster.cluster_config.xml to complain mode.
  Traceback (most recent call last):
File "/usr/sbin/aa-complain", line 35, in 
  tool.cmd_complain()
File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 165, in 
cmd_complain
  apparmor.set_complain(profile, program)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 286, in 
set_complain
  change_profile_flags(filename, program, 'complain', True)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 704, in 
change_profile_flags
  set_profile_flags(filename, program, newflags)
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 720, in 
set_profile_flags
  temp_file = tempfile.NamedTemporaryFile('w', prefix=prof_filename, 
suffix='~', delete=False, dir=profile_dir)
File "/usr/lib/python3.5/tempfile.py", line 688, in NamedTemporaryFile
  (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type)
File "/usr/lib/python3.5/tempfile.py", line 399, in _mkstemp_inner
  fd = _os.open(file, flags, 0o600)
  PermissionError: [Er

[Touch-packages] [Bug 1865450] [NEW] PermissionError for AppArmor Profiles i.e., SSH

2020-03-02 Thread Shaheena Kazi 
Public bug reported:

I have created an AppArmor profile for SSH.
The profile is created successfully but each time I run aa-logprof it gives 
PermissionError: [Errno 13] 


An example of the error: 
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 35, in 
tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 150, in 
cmd_enforce
apparmor.set_enforce(profile, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 293, in set_enforce
change_profile_flags(filename, program, 'complain', False)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 704, in 
change_profile_flags
set_profile_flags(filename, program, newflags)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 753, in 
set_profile_flags
os.rename(temp_file.name, prof_filename)
PermissionError: [Errno 13] Permission denied: 
'/etc/apparmor.d/usr.sbin.tcpdumpwvx1h0xl~' -> 
'/etc/apparmor.d/usr.sbin.tcpdump'

Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.

+++
Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 50, in 
apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1824, in 
do_logprof_pass
save_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1921, in 
save_profiles
write_profile_ui_feedback(profile_name)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3404, in 
write_profile_ui_feedback
write_profile(profile)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3413, in 
write_profile
newprof = tempfile.NamedTemporaryFile('w', suffix='~', delete=False, 
dir=profile_dir)
  File "/usr/lib/python3.5/tempfile.py", line 688, in NamedTemporaryFile
(fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type)
  File "/usr/lib/python3.5/tempfile.py", line 399, in _mkstemp_inner
fd = _os.open(file, flags, 0o600)
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/tmpujtge2jq~'


An unexpected error occurred!

For details, see /tmp/apparmor-bug report-5qnjyx3t.txt
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
+++

+++
root@protegrity-framework314:/var/www# aa-complain /etc/apparmor.d/*
Profile for /etc/apparmor.d/abstractions not found, skipping
Profile for /etc/apparmor.d/apache2.d not found, skipping
Setting /etc/apparmor.d/bin.ping to complain mode.
Profile for /etc/apparmor.d/cache not found, skipping
Profile for /etc/apparmor.d/disable not found, skipping
Setting /etc/apparmor.d/etc.opt.Cluster.cluster_config.status.xml to complain 
mode.
Setting /etc/apparmor.d/etc.opt.Cluster.cluster_config.xml to complain mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 35, in 
tool.cmd_complain()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 165, in 
cmd_complain
apparmor.set_complain(profile, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 286, in 
set_complain
change_profile_flags(filename, program, 'complain', True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 704, in 
change_profile_flags
set_profile_flags(filename, program, newflags)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 720, in 
set_profile_flags
temp_file = tempfile.NamedTemporaryFile('w', prefix=prof_filename, 
suffix='~', delete=False, dir=profile_dir)
  File "/usr/lib/python3.5/tempfile.py", line 688, in NamedTemporaryFile
(fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type)
  File "/usr/lib/python3.5/tempfile.py", line 399, in _mkstemp_inner
fd = _os.open(file, flags, 0o600)
PermissionError: [Errno 13] Permission denied: 
'/etc/apparmor.d/etc.opt.Cluster.cluster_config.xml7m7t4rvb~'


An unexpected error occurred!

For details, see /tmp/apparmor-bugreport-oe_mo879.txt
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
++

Secondly, once I accept this denial, AppArmor repeatedly gives similar
denials for almost every profile.

I am using a security product and running it on Debian 9.
root@protegrity:/var/www# cat /etc/debian_version
9.9

I expect that these denials should not occur repeatedly.

Please do check.

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1865450

Title:
  PermissionError for A