I see lots of AppArmor change_hat failures (reported by the mod_apparmor 
apache module) which started when Evergreen got the 3.12 kernel. 
I also see this problem on 42.2, so I'd guess it is a problem with the 
SLE-based kernels.

In the apache error_log, I get tons of this message:

[Mon Aug 29 21:35:58.141373 2016] [apparmor:error] [pid 23452] (2)
No such file or directory: Failed to change_hat to 

audit.log contains

type=AVC msg=audit(1472401978.320:161920): apparmor="ALLOWED" 
operation="change_hat" parent=2206 profile="/usr/sbin/httpd2-prefork" 
pid=4364 comm="httpd2-prefork" target="/usr/sbin/httpd2-prefork//

type=SYSCALL msg=audit(1472401978.320:161920): arch=c000003e syscall=1 
success=no exit=-2 a0=8c a1=7fc9e2997710 a2=33 a3=fffffff9 items=0 
ppid=2206 pid=4364 auid=4294967295 uid=30 gid=8 euid=30 suid=30 fsuid=30 
egid=8 sgid=8 fsgid=8 tty=(none) ses=4294967295 comm="httpd2-prefork" 
exe="/usr/sbin/httpd2-prefork" key=(null)

The HANDLING_UNTRUSTED_INPUT hat is used when an apache process switches 
back from processing a request to idle (waiting for the next request).

I didn't see similar failures for other hats, so it looks like it only 
affects switching from a vhost_whatever hat (which I configured for the 
virtual host) back to HANDLING_UNTRUSTED_INPUT.

Unfortunately, this also means the process switches into the main profile 
(instead of a hat), and later gets switched into a null-* profile which 
floods the audit.log.

Michal, do you know if there were AppArmor-related patches added between 
the previous 3.11 Evergreen kernel and the (AFAIK) SLE-based 3.12 kernel 
that could explain this problem?

Also note that I already found this error message back in 2008
and, since then, didn't see it for a long time.

Luckily, this time apache "only" switches to the main profile instead of 
going unconfined - but this is still not nice and probably causes serious 
problems for people who have their apache profile in enforce mode (I have 
it in complain mode to avoid annoying customers, and still have a good 
monitoring and inventory list what each virtual host does.)

As usual, I can provide more details and/or a bugreport if needed.

I'll also discuss this with the other AppArmor developers, but knowing 
if there are possibly related patches (and ideally their filename) would 
help a lot ;-)


Christian Boltz
Kasper Unser im Usenet, geheiligt werde Deine Newsgroup, Dein Posting
komme, Deine Reply geschehe. Wie im Usenet, so im RL. Unsern täglichen
Newsfeed gib uns heute und vergib uns unsere Logik, wie auch wir ver-
geben den Logikern. Denn Dein ist das Usenet und die MID, auf Deja.com.
Amen [Peter Schlömer dateka 24.7.1999]

Evergreen mailing list

Reply via email to