Zgrep AppArmor profile is missing permissions

Hallo!
After upgrading from openSuse Leap 15.5 to openSuse Leap 15.6, I can now see an unexpected and new entry in the AppArmor log, when I execute sudo aa-logprof

Profil:      zgrep
Pfad:        /var/lib/nscd/passwd
Neuer Modus: owner r
Schweregrad: unbekannt

 [1 - include <abstractions/nameservice>]
  2 - owner /var/lib/nscd/passwd r, 
Erl(a)uben / [A(b)lehnen] / (I)gnorieren / (G)lob / Glob with (E)xtension / (N)eu / Audi(t) / Be(s)itzerberechtigungen aus / Abb(r)echen / En(d)e

I am pretty sure that zgrep does not need this access; I don’t see any additional relevant entries in journalctl, so this is not really a defect.
I am just wondering what process is using zgrep to access nameservices?

Hello and welcome to the openSUSE forums.
I have no idea about your problem, but a few hints about posting code next time.

When your system language is not English and you want to post in the English language part of the forums, please precede your command with LANG=C, in your case here:

LANG=C aa-logprof

And also please include the line with the prompt and the command that generates the output shown (and then there is no need for story telling like “when I execute …”), including all output and including the next prompt line (which then signals that this is the complete output).

Well, I am not sure that I am adding a lot of new information here, as I think my initial question contained all relevant information, but here is the output in your desired format:

xxx@ashes:~> su
ashes:/home/xxx # LANG=en_US.UTF-8
ashes:/home/xxx # LANGUAGE=en_US
ashes:/home/xxx # aa-logprof
Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/audit/audit.log.
Complain-mode changes:
Enforce-mode changes:

Profile:  zgrep
Path:     /var/lib/nscd/passwd
New Mode: owner r
Severity: unknown

 [1 - include <abstractions/nameservice>]
  2 - owner /var/lib/nscd/passwd r, 
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
ashes:/home/xxx # 

Please note that adding LANG=C does not change the output language in my terminal window. You need to set

ashes:/home/xxx # LANG=en_US.UTF-8
ashes:/home/xxx # LANGUAGE=en_US

Reread what Henk wrote. You need to prepend it to the command and not on a separate line…
Without LANG=C

ich@laptopneu:~> sudo aa-logproof
sudo: aa-logproof: Befehl nicht gefunden

With LANG=C

ich@laptopneu:~> LANG=C sudo aa-logproof
sudo: aa-logproof: command not found

Ok, here you go:

xxx@ashes:~> LANG=C sudo aa-logprof
[sudo] password for root: 
AppArmor-Profile in /etc/apparmor.d werden aktualisiert.
Protokolleinträge von /var/log/audit/audit.log werden gelesen.
Ă„nderungen im complain-Modus
Ă„nderungen im Erzwingen-Modus

Profil:      zgrep
Pfad:        /var/lib/nscd/passwd
Neuer Modus: owner r
Schweregrad: unbekannt

 [1 - include <abstractions/nameservice>]
  2 - owner /var/lib/nscd/passwd r, 
Erl(a)uben / [A(b)lehnen] / (I)gnorieren / (G)lob / Glob with (E)xtension / (N)eu / Audi(t) / Be(s)itzerberechtigungen aus / Abb(r)echen / En(d)e
xxx@ashes:~> 

As @hui says, you make it difficult for yourself (my opinion) by doing something different then I suggested.

Also note that I did not ask you to re-post what you already posted. As you are new here, I only informed you about the best way to post code in the future.
A welcome and a way to let you feel at home ASAP by telling you how we work efficient. That is all that I tried to do.

Ok, I think your suggestion does not work:

ashes:/home/xxx # LANG=C aa-logprof
AppArmor-Profile in /etc/apparmor.d werden aktualisiert.
Protokolleinträge von /var/log/audit/audit.log werden gelesen.
Ă„nderungen im complain-Modus
Ă„nderungen im Erzwingen-Modus

Profil:      zgrep
Pfad:        /var/lib/nscd/passwd
Neuer Modus: owner r
Schweregrad: unbekannt

 [1 - include <abstractions/nameservice>]
  2 - owner /var/lib/nscd/passwd r, 
Erl(a)uben / [A(b)lehnen] / (I)gnorieren / (G)lob / Glob with (E)xtension / (N)eu / Audi(t) / Be(s)itzerberechtigungen aus / Abb(r)echen / En(d)e
ashes:/home/xxx # 

Strange, but I guess you are better helped when people concentrate on your problem.

@PragmaticProgrammer

A software developer would understand that system calls, or calls to other standard commands, can be executed within some program. So, to discover “what might be calling what”, we would use strace.

Here’s one example:

machine :~ # strace -s 2000 -o strace.log aa-logprof
Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/audit/audit.log.
Complain-mode changes:
Enforce-mode changes:
machine :~ #

So, now you can use your favorite text editor to open up “strace.log” to browse around and check all the calls.

And if you notice the above output, aa-logprofo output some text to the console. So, if you want that output to go to the “strace file”, so you can see each of the lines, and how they are being produced, you can do the following (and notice that we do not use the “-o filename” argument, but use redirection):

machine :~ # strace -s 2000 aa-logprof > strace2.out 2>&1

machine :~ # nano strace2.out

Thank you for your answer, but it is beside the point.

The problem is not what kind of syscalls aa-logprof is doing. aa-logprof is a tool to check AppArmor profile violations and is working fine, as far as I am concerned. When I call aa-logprof, it simply shows me the latest violations of existing AppArmor profiles, and zgrep is obviously constantly causing violations.

The real question is: why does zgrep constantly violate its default AppArmor profile? I cannot easily know it, because I don’t even know what kind of process, tool, daemon etc. is using zgrep all the time. I tried to grep all *.sh files to see where zgrep is used:

ashes:/ # find . -path "./mnt" -prune -o -name "*.sh" -type f -exec grep "zgrep" '{}' +
./usr/lib/dracut/modules.d/10i18n/module-setup.sh:                *.gz) CMD="zgrep" ;;
./usr/lib/dracut/modules.d/10i18n/module-setup.sh:                *.bz2) CMD="bzgrep" ;;
./usr/src/linux-5.14.21-150500.55.88/tools/testing/selftests/firmware/fw_lib.sh:                if zgrep -q $1 $PROC_CONFIG 2>/dev/null; then
./usr/src/linux-6.4.0-150600.23.30/tools/testing/selftests/firmware/fw_lib.sh:          if zgrep -q $1 $PROC_CONFIG 2>/dev/null; then

None of those scripts ring a bell…

@PragmaticProgrammer

Then obviously I misunderstood the issue you are having. My understanding was, “zgrep should not be called by the aa-logprof command”.

I did analyze my “strace2.out” file. There are 15 references to “zgrep”, so my interpretation is, there is a dependency.

However, on your system, the question is

So yes, I understand … I do not see this violation.

So, as there are no other replies, might look for an AppArmor forum, or just do a global web search for the issue - folks using other distros may show the same issue.

Reboot, after reboot post the full output of

ausearch -m AVC -ts boot

Upload to https://paste.opensuse.org/ as it may be long.

1 Like

Awesome, now we are getting somewhere:

ashes:/home/xxx # ausearch -m AVC -ts boot
----
time->Fri Jan  3 09:27:46 2025
type=PROCTITLE msg=audit(1735892866.263:74): proctitle=2F7573722F7362696E2F61766168692D6461656D6F6E002D73
type=SYSCALL msg=audit(1735892866.263:74): arch=c000003e syscall=47 success=yes exit=15 a0=4 a1=7ffde5f61f50 a2=40000000 a3=4000 items=0 ppid=1 pid=934 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" subj=avahi-daemon key=(null)
type=AVC msg=audit(1735892866.263:74): apparmor="DENIED" operation="file_receive" class="file" info="Failed name lookup - disconnected path" error=-13 profile="avahi-daemon" name="var/lib/nscd/passwd" pid=934 comm="avahi-daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----
time->Fri Jan  3 09:27:46 2025
type=PROCTITLE msg=audit(1735892866.263:75): proctitle=2F7573722F7362696E2F61766168692D6461656D6F6E002D73
type=SYSCALL msg=audit(1735892866.263:75): arch=c000003e syscall=47 success=yes exit=14 a0=4 a1=7ffde5f61ae0 a2=40000000 a3=4000 items=0 ppid=1 pid=934 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" subj=avahi-daemon key=(null)
type=AVC msg=audit(1735892866.263:75): apparmor="DENIED" operation="file_receive" class="file" info="Failed name lookup - disconnected path" error=-13 profile="avahi-daemon" name="var/lib/nscd/group" pid=934 comm="avahi-daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
ashes:/home/xxx # 

Looks like avahi-daemon is using zgrep to access /var/lib/nscd/passwd which is then blocked by AppArmor.
I know too little about avahi-daemon to judge whether this makes sense or not…

I de-installed the package “avahi”; now the violations are no longer showing.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.