On Thursday 07 April 2016, Christian Boltz wrote:
> Hello,
>
> Am Donnerstag, 7. April 2016, 09:57:17 CEST schrieb Ruediger Meier:
> > On Wednesday 06 April 2016, Christian Boltz wrote:
>
> ...
>
> > > You'll probably need to adjust the AppArmor profile a bit to
> > > allow that. Otherwise, nscd won't be able to restart itsself
> > > (which effectively means ignoring the paranoia mode).
> > >
> > > https://bugzilla.opensuse.org/show_bug.cgi?id=971790
> >
> > Thanks, good to know.
> >
> > There seems to be another bug
> > $ nscd --invalidate
> > does not to work.
> >
> > The only way to reset cache and stats is to set
> >   persistent   xyz           no
> > and rcnscd.restart.
>
> I Just tested this (on 13.1, and also on Tumbleweed), and it works.
>
> Does the syslog tell you anything about why --invalidate doesn't
> work?

No logs. Actually it looks like it works but does not clear anything:

$ nscd -g | grep -A20 "passwd cache:"
passwd cache:
            yes  cache is enabled
             no  cache is persistent
             no  cache is shared
            211  suggested size
         216064  total data pool size
            184  used data pool size
            600  seconds time to live for positive entries
             20  seconds time to live for negative entries
            623  cache hits on positive entries
              0  cache hits on negative entries
             19  cache misses on positive entries
             24  cache misses on negative entries
             93% cache hit rate
              2  current number of cached values
             28  maximum number of cached values
              2  maximum chain length searched
              0  number of delays on rdlock
              0  number of delays on wrlock
              0  memory allocations failed
$ nscd -i passwd
$ nscd -g | grep -A20 "passwd cache:"
passwd cache:
            yes  cache is enabled
             no  cache is persistent
             no  cache is shared
            211  suggested size
         216064  total data pool size
              0  used data pool size
            600  seconds time to live for positive entries
             20  seconds time to live for negative entries
            623  cache hits on positive entries
              0  cache hits on negative entries
             19  cache misses on positive entries
             24  cache misses on negative entries
             93% cache hit rate
              0  current number of cached values
             28  maximum number of cached values
              2  maximum chain length searched
              0  number of delays on rdlock
              0  number of delays on wrlock
              0  memory allocations failed


Only restart clears the cache (and only if you have set "persistent 
passwd no"):

$ rcnscd restart
$ nscd -g | grep -A20 "passwd cache:"
passwd cache:
            yes  cache is enabled
             no  cache is persistent
             no  cache is shared
            211  suggested size
         216064  total data pool size
              0  used data pool size
            600  seconds time to live for positive entries
             20  seconds time to live for negative entries
              0  cache hits on positive entries
              0  cache hits on negative entries
              0  cache misses on positive entries
              0  cache misses on negative entries
              0% cache hit rate
              0  current number of cached values
              0  maximum number of cached values
              0  maximum chain length searched
              0  number of delays on rdlock
              0  number of delays on wrlock
              0  memory allocations failed


> Does /var/log/audit/audit.log contain any denials? (I doubt 
> that AppArmor restrictions are involved here, but just to be sure.)
>
> > How would I disable appamor system wide?
>
> Like every other service - rcapparmor stop

Ooops ...

> [1] 

Ok, I knew that there was something special ;)

> However I hope you won't do this. The better way is usually to

Yep, just for quick, painless testing.

> - switch the profile to complain/learning mode:   aa-complain nscd
> - let the service run for a while
> - run   aa-logprof   to update the profile
> - enforce the profile again:   aa-enforce nscd
>
> BTW: You might be interested in my AppArmor Crash Course:
>     http://blog.cboltz.de/archives/65-openSUSE-conference.html
>     (PDFs linked at the end of the article)
>
> I'll also give an updated version of this talk at the openSUSE
> conference (assuming my proposal gets accepted).
>
_______________________________________________
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen

Reply via email to