Hallo, I see lots of AppArmor change_hat failures (reported by the mod_apparmor apache module) which started when Evergreen got the 3.12 kernel. I also see this problem on 42.2, so I'd guess it is a problem with the SLE-based kernels.
In the apache error_log, I get tons of this message: [Mon Aug 29 21:35:58.141373 2016] [apparmor:error] [pid 23452] (2) No such file or directory: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' audit.log contains type=AVC msg=audit(1472401978.320:161920): apparmor="ALLOWED" operation="change_hat" parent=2206 profile="/usr/sbin/httpd2-prefork" pid=4364 comm="httpd2-prefork" target="/usr/sbin/httpd2-prefork// HANDLING_UNTRUSTED_INPUT" type=SYSCALL msg=audit(1472401978.320:161920): arch=c000003e syscall=1 success=no exit=-2 a0=8c a1=7fc9e2997710 a2=33 a3=fffffff9 items=0 ppid=2206 pid=4364 auid=4294967295 uid=30 gid=8 euid=30 suid=30 fsuid=30 egid=8 sgid=8 fsgid=8 tty=(none) ses=4294967295 comm="httpd2-prefork" exe="/usr/sbin/httpd2-prefork" key=(null) The HANDLING_UNTRUSTED_INPUT hat is used when an apache process switches back from processing a request to idle (waiting for the next request). I didn't see similar failures for other hats, so it looks like it only affects switching from a vhost_whatever hat (which I configured for the virtual host) back to HANDLING_UNTRUSTED_INPUT. Unfortunately, this also means the process switches into the main profile (instead of a hat), and later gets switched into a null-* profile which floods the audit.log. Michal, do you know if there were AppArmor-related patches added between the previous 3.11 Evergreen kernel and the (AFAIK) SLE-based 3.12 kernel that could explain this problem? Also note that I already found this error message back in 2008 http://marc.info/?l=apparmor-general&m=119992778825253&w=2 and, since then, didn't see it for a long time. Luckily, this time apache "only" switches to the main profile instead of going unconfined - but this is still not nice and probably causes serious problems for people who have their apache profile in enforce mode (I have it in complain mode to avoid annoying customers, and still have a good monitoring and inventory list what each virtual host does.) As usual, I can provide more details and/or a bugreport if needed. I'll also discuss this with the other AppArmor developers, but knowing if there are possibly related patches (and ideally their filename) would help a lot ;-) Regards, Christian Boltz -- Kasper Unser im Usenet, geheiligt werde Deine Newsgroup, Dein Posting komme, Deine Reply geschehe. Wie im Usenet, so im RL. Unsern täglichen Newsfeed gib uns heute und vergib uns unsere Logik, wie auch wir ver- geben den Logikern. Denn Dein ist das Usenet und die MID, auf Deja.com. Amen [Peter Schlömer dateka 24.7.1999] _______________________________________________ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen