[apparmor] [Bug 732837] [NEW] AF_TIPC not supported by parser when it is in the kernel

Jamie Strandboge jamie at ubuntu.com
Thu Mar 10 20:35:59 UTC 2011 

Public bug reported:

If in python I do something like:
s = socket.socket(socket.AF_TIPC, socket.SOCK_RDM, 0)

I see this in the audit log:
type=AVC msg=audit(1299788719.107:159859): apparmor="DENIED" operation="create" parent=17142 profile="/home/jamie/tmp/test-net.py" pid=17143 comm="test-net.py" family="tipc" sock_type="rdm" protocol=0

If I then try to add rules for this in my profile:
  network tipc,
  network rdm,

I get:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/home.jamie.tmp.test-net.py
AppArmor parser error for /etc/apparmor.d/home.jamie.tmp.test-net.py in /etc/apparmor.d/home.jamie.tmp.test-net.py at line 39: Invalid network entry.

Leaving out the 'network tipc,' rule, but leaving 'rdm', the parser is ok, but I still get denials:
type=AVC msg=audit(1299789277.284:159863): apparmor="DENIED" operation="create" parent=17339 profile="/home/jamie/tmp/test-net.py" pid=17340 comm="test-net.py" family="tipc" sock_type="rdm" protocol=0

** Affects: apparmor
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/732837

Title:
  AF_TIPC not supported by parser when it is in the kernel

Status in AppArmor Linux application security framework:
  New

Bug description:
  If in python I do something like:
  s = socket.socket(socket.AF_TIPC, socket.SOCK_RDM, 0)

  I see this in the audit log:
  type=AVC msg=audit(1299788719.107:159859): apparmor="DENIED" operation="create" parent=17142 profile="/home/jamie/tmp/test-net.py" pid=17143 comm="test-net.py" family="tipc" sock_type="rdm" protocol=0

  If I then try to add rules for this in my profile:
    network tipc,
    network rdm,

  I get:
  $ sudo apparmor_parser -r -T -W /etc/apparmor.d/home.jamie.tmp.test-net.py
  AppArmor parser error for /etc/apparmor.d/home.jamie.tmp.test-net.py in /etc/apparmor.d/home.jamie.tmp.test-net.py at line 39: Invalid network entry.

  Leaving out the 'network tipc,' rule, but leaving 'rdm', the parser is ok, but I still get denials:
  type=AVC msg=audit(1299789277.284:159863): apparmor="DENIED" operation="create" parent=17339 profile="/home/jamie/tmp/test-net.py" pid=17340 comm="test-net.py" family="tipc" sock_type="rdm" protocol=0

More information about the AppArmor mailing list