[apparmor] trouble confining sshd

John Johansen john.johansen at canonical.com
Tue Mar 29 11:08:59 UTC 2011

On 03/29/2011 04:02 AM, Seth Arnold wrote:
> On Tue, Mar 29, 2011 at 3:38 AM, John Johansen
> <john.johansen at canonical.com> wrote:
>>> Is complain mode expected to work?
>> yes it should
>> seth can you enable debug
>>  echo 1 > /sys/module/apparmor/parameters/debug
> The strangest looking thing in the log is the length of a profile name:
> profile="/usr/sbin/sshd//null-1d9//null-1da//null-1e1//null-1e2//null-1e3//null-1e5//null-1e6//null-1e7"
That is an absolutely hideous profile name, what is happening is we are getting a level of nesting for each
So ssd execs something that it doesn't have a rule for, so profile /usr/sbin/sshd//null-1d9 is created
then the process confined by /usr/sbin/sshd//null-1d9 execs something getting a new profile 

can you send me your log file to look at?

> But I couldn't find any messages that weren't ALLOW messages. So I'm
> confused. I hope you've got
well debug won't output allow messages but will output some more info for some potential failures that
won't get logged.  Like scrubbing environment variables.

> a better crystal ball than I do. :)
No crystal ball, but the source code, a compiler and a real dislike for bugs

More information about the AppArmor mailing list