I’m having a weird problem with the proprietary Cisco VPN client (the OSS vpnc does not work well enough for me atm), nscd and apparmor.
As soon as I start vpnclient, nscd gives these error messages in /var/log/messages:
Jul 23 10:27:43 linux-mvku nscd: 3026 invalid persistent database file "/var/run/nscd/services": Permission denied
Jul 23 10:27:43 linux-mvku nscd: 3026 cannot write to database file /var/run/nscd/services: Permission denied
Looking at /var/log/audit/audit.log:
type=APPARMOR_DENIED msg=audit(1216801663.532:12): operation="file_mmap" requested_mask="mrw::" denied_mask="m::" fsuid=0 name="/var/run/nscd/services" pid=3026 profile="/usr/sbin/nscd"
type=APPARMOR_DENIED msg=audit(1216801663.604:13): operation="file_mmap" requested_mask="mrw::" denied_mask="m::" fsuid=0 name="/var/run/nscd/services" pid=3026 profile="/usr/sbin/nscd"
As far as I understand these messages, apparmor prohibits nscd to mmap these files with PROT_EXEC. But I have looked at the nscd sourcecode, and PROT_EXEC is not used anywhere, it just mmaps these files in PROT_READ | PROT_WRITE mode…
Any ideas what might be going on here?
(This all happens on OpenSUSE 11.0 / 32bit with current updates.)
try updating the nscd apparmor profile
Could you be more specific? The system is up to date, and the profile looks okay to me.
i meant you to update apparmor profile not some packages
yast -> apparmor -> control panel
set nscd profile to complain
run nscd and vpnclient for some time and try to execute every action you would in your normal work with vpnclient
then yast -> apparmor -> update profile
set back profile mode to enforce and check if runs ok
may need to repeat procedure a few times
As far as I understand you, you are basically telling me to configure apparmor to ignore these access violations and allow nscd to mmap these files with PROT_EXEC.
To me it makes no sense to use PROT_EXEC on these files, and nscd does not seem to even try to do that! I’ve looked at the source code and it only mmaps them in PROT_READ|PROT_WRITE mode.
I will set the nscd profile to complain for now though, to see if that has an effect on another issue I have with vpnclient.
I would still really like to know how these reports can even occurr in the first place.
Did you solve this? It seems I have similar problem, but my system freezes afterwords.
Please check the bug: