apparmor gets killed during change_hat operation

This document (7010509) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 2

Situation

A customer created a simple role based access control with Apparmor on SLES11SP1.
This worked fine, but broke after updating the system to SLES11SP2.

Excerpt from audit log:

type=AVC msg=audit(1339184509.487:79554): apparmor="KILLED" operation="change_hat"....

Resolution

Remove all entries for pam_apparmor.so from the files in /etc/pam.d/

after that, run:

pam-config -a --apparmor

This correctly configures pam to make use of apparmor.

Cause

pam_apparmor configuration changed in between SP1 and SP2

On SP1 it's necessary to configure pam manually. See /usr/share/doc/packages/pam_apparmor/README for details.

However, this is errorprone and breaks the pam configuration if the pam_apparmor rpm package is deinstalled without removing the added lines from the pam config files.

Decision was made to configure pam_apparmor on SP2 automatically to be able to remove the configuration while deinstallation of the rpm package.

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.