Ubuntu
openldap2.3 package

slapcat broken when default apparmor profile is enabled

Bug #203898 reported by Jamie Strandboge
2
Affects Status Importance Assigned to Milestone
openldap2.3 (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

A simple 'sudo slapcat -l ./foo.ldif' results in this apparmor entry:

Mar 19 12:30:07 hardy-amd64-sec kernel: [ 0.000000] audit(1205929807.141:3): operation="inode_create" request_mask="w::" denied_mask="w::" name="/home/jamie/foo.ldif" pid=4384 profile="/usr/sbin/slapd" namespace="default"

The reason why is because slapcat is a symlink to slapd, and apparmor evaluates symlinks to the name of the file they point to. One solution might be to use hard links instead of symlinks.

As slapacl, slapadd, slapauth, slapdn, slapindex, slappasswd and slaptest are also symlinks, these are all likely broken as well.

Jamie Strandboge (jdstrand)
Changed in openldap2.3:
assignee: nobody → jamie-strandboge
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Using hard links instead of symlinks is reasonable based on server/slapd.main.c:

static struct {
        char *name;
        MainFunc *func;
} tools[] = {
        {"slapadd", slapadd},
        {"slapcat", slapcat},
        {"slapdn", slapdn},
        {"slapindex", slapindex},
        {"slappasswd", slappasswd},
        {"slaptest", slaptest},
        {"slapauth", slapauth},
        {"slapacl", slapacl},
        /* NOTE: new tools must be added in chronological order,
         * not in alphabetical order, because for backwards
         * compatibility name[4] is used to identify the
         * tools; so name[4]=='a' must refer to "slapadd" and
         * not to "slapauth". Alphabetical order can be used
         * for tools whose name[4] is not used yet */
        {NULL, NULL}
};
...
        serverName = lutil_progname( "slapd", argc, argv );

        if ( strcmp( serverName, "slapd" ) ) {
                for (i=0; tools[i].name; i++) {
                        if ( !strcmp( serverName, tools[i].name ) ) {
                                rc = tools[i].func(argc, argv);
                                MAIN_RETURN(rc);
                        }
                }
        }
...

lutil_progname() simply grabs argv[0] and returns it. Based on the above, slapd doesn't care if they are hardlinks or symlinks.

Changed in openldap2.3:
status: Confirmed → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is a suggested patch to debian/rules and debian/slapd.links that creates hard links instead of symlinks. Resulting patched binaries tested on hardy work as expected.

Changed in openldap2.3:
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap2.3 - 2.4.7-6ubuntu2

---------------
openldap2.3 (2.4.7-6ubuntu2) hardy; urgency=low

  * apparmor-profile workaround for Launchpad #202161
  * follow ApparmorProfileMigration and force apparmor complain mode on some
    upgrades (LP: #203529)
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
    - debian/slapd.dirs: add etc/apparmor.d/force-complain
    - debian/slapd.preinst: create symlink for force-complain/ on pre-feisty
      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
      non-enforcing) and upgrades where apparmor profile does not exist
    - debian/slapd.postrm: remove symlink in force-complain/ on purge
  * debian/rules, debian/slapd.links: use hard links to slapd instead of
    symlinks for slap* so these applications aren't confined by apparmor
    (LP: #203898)

 -- Jamie Strandboge <email address hidden> Tue, 18 Mar 2008 13:53:23 -0400

Changed in openldap2.3:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.