[apparmor] trouble confining sshd
John Johansen
john.johansen at canonical.com
Tue Mar 29 11:08:59 UTC 2011
On 03/29/2011 04:02 AM, Seth Arnold wrote:
> On Tue, Mar 29, 2011 at 3:38 AM, John Johansen
> <john.johansen at canonical.com> wrote:
>>> Is complain mode expected to work?
>> yes it should
>> seth can you enable debug
>> echo 1 > /sys/module/apparmor/parameters/debug
>
> The strangest looking thing in the log is the length of a profile name:
> profile="/usr/sbin/sshd//null-1d9//null-1da//null-1e1//null-1e2//null-1e3//null-1e5//null-1e6//null-1e7"
>
That is an absolutely hideous profile name, what is happening is we are getting a level of nesting for each
exec.
So ssd execs something that it doesn't have a rule for, so profile /usr/sbin/sshd//null-1d9 is created
then the process confined by /usr/sbin/sshd//null-1d9 execs something getting a new profile
/usr/sbin/sshd//null-1d9//null-1da
can you send me your log file to look at?
> But I couldn't find any messages that weren't ALLOW messages. So I'm
> confused. I hope you've got
well debug won't output allow messages but will output some more info for some potential failures that
won't get logged. Like scrubbing environment variables.
> a better crystal ball than I do. :)
>
No crystal ball, but the source code, a compiler and a real dislike for bugs
More information about the AppArmor
mailing list