Page MenuHomePhabricator

apparmor-profile-everything breaks Qubes upgrading
Closed, ResolvedPublic

Description

sudo aa-status

user@host:~$ sudo journalctl -b | grep -i denied
Nov 23 14:35:26 host audit[1923]: AVC apparmor="DENIED" operation="link" info="link not subset of target" error=-13 profile="/usr/bin/apt-get" name="/usr/lib/security-misc/pam_tally2-info.dpkg-tmp" pid=1923 comm="dpkg" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/lib/security-misc/pam_tally2-info"
Nov 23 14:35:27 host audit[2198]: AVC apparmor="DENIED" operation="file_inherit" profile="/usr/lib/security-misc/permission-lockdown" name="/dev/pts/1" pid=2198 comm="permission-lock" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2198]: AVC apparmor="DENIED" operation="file_inherit" profile="/usr/lib/security-misc/permission-lockdown" name="/dev/pts/1" pid=2198 comm="permission-lock" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2198]: AVC apparmor="DENIED" operation="file_inherit" profile="/usr/lib/security-misc/permission-lockdown" name="/dev/pts/1" pid=2198 comm="permission-lock" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2198]: AVC apparmor="DENIED" operation="file_inherit" profile="/usr/lib/security-misc/permission-lockdown" name="/dev/pts/1" pid=2198 comm="permission-lock" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2207]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2207 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2207]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2207 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2207]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2207 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2207]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2207 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2207]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2207 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2207]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2207 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2212]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2212 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2212]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2212 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2212]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2212 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2212]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2212 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2212]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2212 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2212]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2212 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2217]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2217 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2217]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2217 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2217]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2217 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2217]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2217 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2217]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2217 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2217]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2217 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2247]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2247 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2247]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2247 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2247]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2247 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2247]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2247 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2247]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2247 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2247]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2247 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2251]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2251 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2251]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2251 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2251]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2251 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2251]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2251 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2251]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2251 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2251]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2251 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2255]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2255 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2255]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2255 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2255]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2255 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2255]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2255 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2255]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2255 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2255]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2255 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2259]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2259 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2259]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2259 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2259]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2259 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2259]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2259 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2259]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2259 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2259]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2259 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2309]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2309 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2309]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2309 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2309]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2309 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2309]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2309 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2309]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2309 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:27 host audit[2309]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2309 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2335]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2335 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2335]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2335 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2335]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2335 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2335]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2335 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2335]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2335 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2335]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2335 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2386]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2386 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2386]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2386 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2386]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2386 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2386]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2386 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2386]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2386 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2386]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2386 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2432]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2432 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2432]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2432 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2432]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2432 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2432]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2432 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2432]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda" pid=2432 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:28 host audit[2432]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xvda3" pid=2432 comm="grub-probe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Nov 23 14:35:29 host audit[2535]: AVC apparmor="DENIED" operation="capable" profile="/usr/bin/apt-get" pid=2535 comm="(sd-askpwagent)" capability=24 capname="sys_resource"
Nov 23 14:35:39 host audit[2980]: AVC apparmor="DENIED" operation="open" profile="/usr/bin/apt-get" name="/dev/xen/gntalloc" pid=2980 comm="qrexec-client-v" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

Details

Impact
High

Event Timeline

Patrick triaged this task as Normal priority.Nov 23 2019, 4:16 PM
Patrick created this task.

Try adding:

owner /dev/xvda r,
owner /dev/xvda[0-9]* r,
owner /dev/xen/ r,
owner /dev/xen/* rw,
Patrick changed Impact from Needs Triage to High.