2

I'm trying to get apparmor set up on my system and am having troubles getting past the permission denied error:

ping: error while loading shared libraries: libcap.so.2: cannot stat shared object: Permission denied

This is my policy for ping:

#include <tunables/global>
/{usr/,}bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>

capability net_raw,
capability setuid,
#network inet raw,

#network inet stream,
network icmp,

/bin/ping mixr,
/etc/modules.conf r,

# Site-specific additions and overrides. See local/README for details.
#include <local/bin.ping>

}

In complain mode, I don't get any logs "complaining" about loading the library. I only get it in enforce mode and of course the ping program doesn't work. I get this error with the other profiles as well so I'm wondering if my abstractions/base or tunables/global files are correct?

I'm running this on Funtoo (Gentoo) Linux.

Output from equery b libcap.so.2:

 * Searching for libcap.so.2 ... 
 sys-libs/libcap-2.25 (/usr/lib32/libcap.so.2 -> libcap.so.2.25)
 sys-libs/libcap-2.25 (/lib64/libcap.so.2 -> libcap.so.2.25)

I should also note that I have the same problem with syslog-ng. If the syslog policies are in enforce mode, syslog won't start and will complain that it cannot open libsyslog-ng-3.7.so.0.

Walter
  • 1,204
  • 4
  • 13
  • 36
  • Please update your question with the output from `equery b libcap.so.2` If needed, please install `app-portage/gentoolkit` – eyoung100 May 22 '16 at 04:24
  • Thanks, I do have that library installed and gentoolkit. I suppose my policy files are no good if it is giving me issues when trying to load libraries. I do see the path in the abstractions/base, so I don't know where else to look. – Walter May 22 '16 at 09:48
  • `ping` cannot be run without `sudo`. – eyoung100 May 22 '16 at 13:38
  • I am running it via sudo, so that isn't the problem. – Walter May 22 '16 at 20:07
  • Does it matter if my rootfs is squashfs and I'm using overlayfs with tmpfs for read-write operations? I don't seem to have any issues with that at present. – Walter May 22 '16 at 20:24
  • Don't quote me on this, but I think you're on the right path regarding your previous comment... IIRC to write with root privilege in tmpfs, you may need a sticky bit, i.e. 1777 instead of 0777, or 1640 etc. – eyoung100 May 23 '16 at 14:46

1 Answers1

0

In suse11sp3 apparmor doesn't give syslog-ng the file permission to read,edit the /etc/apparmor.d/sbin.syslog-ng file and add permission

Restart apparmor 

service boot.apparmor restart

Restart syslog-ng

service syslog restart
Thomas
  • 6,242
  • 8
  • 26
  • 32
user191627
  • 1