[apparmor] Logging of actions that are already denied by the filesystem
apparmor at cboltz.de
Thu Mar 31 21:38:31 UTC 2011
Am Donnerstag, 31. März 2011 schrieb John Johansen:
> On 03/31/2011 11:06 AM, Christian Boltz wrote:
> > Amavisd tries to rename /etc/amavisd.conf to *.moved at startup to
> > check if dropping privileges worked.
> > Amavisd runs as user "vscan" at this point
> > Nevertheless, I see in the audit.log:
> > IIRC older AppArmor versions (for example on openSUSE 11.1 - which
> > interestingly also has AppArmor 2.3...) only logged actions that
> > were permitted by the filesystem. Did this change or did I find a
> > bug? ;-)
> Sadly it changed. AppArmor 2.3 used a different set of hooks
> (patched the existing inode hooks), but upstream accepted a new set
> of path hooks, that are inserted at different points.
Hmm, openSUSE 11.1 and 11.3 both use AppArmor 2.3 - is there really such
a big difference? (The kernel version of course differs.)
> It is now inconsistent as to whether the DAC check or MAC check comes
> first for some hooks DAC for others using the path hooks MAC. There
> was effort to fix this but it didn't get in.
Sounds very interesting[tm].
I hope someone still tries to get this fixed ;-)
> > (Needless to say that I have a "deny /etc/amavisd.conf* w" rule in
> > the meantime to silence the logging...)
> yep, its unfortunate but we have to live with it
Does this also happen with AppArmor 2.5? (Until now, I don't have a
server with 2.5 running, therefore it isn't easy to test for me.)
> > If something in this mail is unclear, I can re-test it. Just notice
> > that the above information is recycled from a (non-public) bug
> > report that was sleeping for some weeks...
> ah, sorry to hear that. I can put together a more detailed report if
> needed with links to the lkml discussions.
Your short summary is enough :-) - better invest the time to get this
fixed in the kernel... (Now you can at least add a paragraph "We already
get complaints from confused users." ;-)
hm. I've lost a machine.. literally _lost_. it responds to ping, it
works completely, I just can't figure out where in my apartment it is.
More information about the AppArmor