Results 1 to 6 of 6

Thread: Cisco vpnclient, nscd and apparmor

  1. #1

    Default Cisco vpnclient, nscd and apparmor

    I'm having a weird problem with the proprietary Cisco VPN client (the OSS vpnc does not work well enough for me atm), nscd and apparmor.

    As soon as I start vpnclient, nscd gives these error messages in /var/log/messages:

    Code:
    Jul 23 10:27:43 linux-mvku nscd: 3026 invalid persistent database file "/var/run/nscd/services": Permission denied
    Jul 23 10:27:43 linux-mvku nscd: 3026 cannot write to database file /var/run/nscd/services: Permission denied
    Looking at /var/log/audit/audit.log:

    Code:
    type=APPARMOR_DENIED msg=audit(1216801663.532:12): operation="file_mmap" requested_mask="mrw::" denied_mask="m::" fsuid=0 name="/var/run/nscd/services" pid=3026 profile="/usr/sbin/nscd"
    type=APPARMOR_DENIED msg=audit(1216801663.604:13): operation="file_mmap" requested_mask="mrw::" denied_mask="m::" fsuid=0 name="/var/run/nscd/services" pid=3026 profile="/usr/sbin/nscd"
    As far as I understand these messages, apparmor prohibits nscd to mmap these files with PROT_EXEC. But I have looked at the nscd sourcecode, and PROT_EXEC is not used anywhere, it just mmaps these files in PROT_READ | PROT_WRITE mode...

    Any ideas what might be going on here?

    (This all happens on OpenSUSE 11.0 / 32bit with current updates.)

  2. #2

    Default Re: Cisco vpnclient, nscd and apparmor

    try updating the nscd apparmor profile

  3. #3

    Default Re: Cisco vpnclient, nscd and apparmor

    Quote Originally Posted by Rhaddamant View Post
    try updating the nscd apparmor profile
    Could you be more specific? The system is up to date, and the profile looks okay to me.

  4. #4

    Default Re: Cisco vpnclient, nscd and apparmor

    i meant you to update apparmor profile not some packages

    yast -> apparmor -> control panel
    set nscd profile to complain

    run nscd and vpnclient for some time and try to execute every action you would in your normal work with vpnclient

    then yast -> apparmor -> update profile
    set back profile mode to enforce and check if runs ok
    may need to repeat procedure a few times

  5. #5

    Default Re: Cisco vpnclient, nscd and apparmor

    As far as I understand you, you are basically telling me to configure apparmor to ignore these access violations and allow nscd to mmap these files with PROT_EXEC.

    To me it makes no sense to use PROT_EXEC on these files, and nscd does not seem to even try to do that! I've looked at the source code and it only mmaps them in PROT_READ|PROT_WRITE mode.

    I will set the nscd profile to complain for now though, to see if that has an effect on another issue I have with vpnclient.

    I would still really like to know how these reports can even occurr in the first place.

  6. #6
    brko NNTP User

    Default Re: Cisco vpnclient, nscd and apparmor

    Did you solve this? It seems I have similar problem, but my system freezes afterwords.
    Please check the bug:
    https://bugzilla.novell.com/show_bug.cgi?id=440858

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •