Ticket #1508 (closed task: duplicate)

Opened 7 years ago

Last modified 7 years ago

File OpenAFS bug about apparmor

Reported by: jdreed Owned by:
Priority: normal Milestone: The Distant Future
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

In some cases, apparmor is convinced that a user process is directly accessing the OpenAFS cache, and prior to debathena-apparmor-config 1.2.9, would deny it. apparmor's denial causes OpenAFS to think the fileserver went down, and then it immediately comes back up, but parts of the user's homedirectory still give weird ENOENT/EACCES errors until an fs flushv.

Jul  7 10:08:36 jdreed-vmware-4 kernel: [   94.060284] audit_printk_skb: 66 call
backs suppressed
Jul  7 10:08:36 jdreed-vmware-4 kernel: [   94.060287] type=1400 audit(1404752916.705:92): apparmor="DENIED" operation="file_perm" profile="/usr/bin/evince" name="/var/cache/openafs/D3/V7476" pid=3192 comm="evince" requested_mask="r" denied_mask="r" fsuid=7263 ouid=0
Jul  7 10:08:36 jdreed-vmware-4 kernel: [   94.060384] afs: Lost contact with file server 18.9.60.152 in cell athena.mit.edu (code -13) (all multi-homed ip addresses down for the server)
Jul  7 10:08:36 jdreed-vmware-4 kernel: [   94.060385] afs: Lost contact with file server 18.9.60.152 in cell athena.mit.edu (code -13) (all multi-homed ip addresses down for the server)
Jul  7 10:08:37 jdreed-vmware-4 kernel: [   95.064175] afs: failed to store file (network problems)
Jul  7 10:08:41 jdreed-vmware-4 kernel: [   98.855523] afs: file server 18.9.60.152 in cell athena.mit.edu is back up (code 0) (multi-homed address; other same-host interfaces may still be down)

Anders notes:

       OpenAFS should never be accessing /var/cache/openafs with the            
       credentials of a random user process.  However, there have been bugs     
       of that form before, and they tend to break SELinux and AppArmor.  We    
       should try to file it.

So somebody who understands AFS better than me and has free time should look into this and report the bug. This is consistently reproducible on stock Trusty, with login-graphical installed, and the stock upstream apparmor-config (which means uninstall apparmor-config, or use manual-config).

Change History

comment:1 Changed 7 years ago by jdreed

  • Status changed from new to closed
  • Resolution set to duplicate

Yeah, so, this is a dupe of #1370.

Note: See TracTickets for help on using tickets.