Cisco vpnclient, nscd and apparmor

chenz · July 23, 2008, 10:51am

I’m having a weird problem with the proprietary Cisco VPN client (the OSS vpnc does not work well enough for me atm), nscd and apparmor.

As soon as I start vpnclient, nscd gives these error messages in /var/log/messages:

Jul 23 10:27:43 linux-mvku nscd: 3026 invalid persistent database file "/var/run/nscd/services": Permission denied
Jul 23 10:27:43 linux-mvku nscd: 3026 cannot write to database file /var/run/nscd/services: Permission denied

Looking at /var/log/audit/audit.log:

type=APPARMOR_DENIED msg=audit(1216801663.532:12): operation="file_mmap" requested_mask="mrw::" denied_mask="m::" fsuid=0 name="/var/run/nscd/services" pid=3026 profile="/usr/sbin/nscd"
type=APPARMOR_DENIED msg=audit(1216801663.604:13): operation="file_mmap" requested_mask="mrw::" denied_mask="m::" fsuid=0 name="/var/run/nscd/services" pid=3026 profile="/usr/sbin/nscd"

As far as I understand these messages, apparmor prohibits nscd to mmap these files with PROT_EXEC. But I have looked at the nscd sourcecode, and PROT_EXEC is not used anywhere, it just mmaps these files in PROT_READ | PROT_WRITE mode…

Any ideas what might be going on here?

(This all happens on OpenSUSE 11.0 / 32bit with current updates.)

Rhaddamant · July 25, 2008, 9:28am

try updating the nscd apparmor profile

chenz · July 28, 2008, 1:55pm

Could you be more specific? The system is up to date, and the profile looks okay to me.

Rhaddamant · July 28, 2008, 2:59pm

i meant you to update apparmor profile not some packages

yast -> apparmor -> control panel
set nscd profile to complain

run nscd and vpnclient for some time and try to execute every action you would in your normal work with vpnclient

then yast -> apparmor -> update profile
set back profile mode to enforce and check if runs ok
may need to repeat procedure a few times

chenz · July 29, 2008, 10:53am

As far as I understand you, you are basically telling me to configure apparmor to ignore these access violations and allow nscd to mmap these files with PROT_EXEC.

To me it makes no sense to use PROT_EXEC on these files, and nscd does not seem to even try to do that! I’ve looked at the source code and it only mmaps them in PROT_READ|PROT_WRITE mode.

I will set the nscd profile to complain for now though, to see if that has an effect on another issue I have with vpnclient.

I would still really like to know how these reports can even occurr in the first place.

user · February 12, 2009, 11:43am

Did you solve this? It seems I have similar problem, but my system freezes afterwords.
Please check the bug:
https://bugzilla.novell.com/show_bug.cgi?id=440858