[apparmor] Logging of actions that are already denied by the filesystem

Christian Boltz apparmor at cboltz.de
Thu Mar 31 21:38:31 UTC 2011


Am Donnerstag, 31. März 2011 schrieb John Johansen:
> On 03/31/2011 11:06 AM, Christian Boltz wrote:
> > Amavisd tries to rename /etc/amavisd.conf to *.moved at startup to
> > check if dropping privileges worked.
> > Amavisd runs as user "vscan" at this point 

> > Nevertheless, I see in the audit.log:
> > IIRC older AppArmor versions (for example on openSUSE 11.1 - which
> > interestingly also has AppArmor 2.3...) only logged actions that
> > were permitted by the filesystem. Did this change or did I find a
> > bug? ;-)
> Sadly it changed.  AppArmor 2.3 used a different set of hooks
> (patched the existing inode hooks), but upstream accepted a new set
> of path hooks, that are inserted at different points.

Hmm, openSUSE 11.1 and 11.3 both use AppArmor 2.3 - is there really such 
a big difference? (The kernel version of course differs.)

> It is now inconsistent as to whether the DAC check or MAC check comes
> first for some hooks DAC for others using the path hooks MAC.  There
> was effort to fix this but it didn't get in.

Sounds very interesting[tm]. 
I hope someone still tries to get this fixed ;-)

> > (Needless to say that I have a "deny /etc/amavisd.conf* w" rule in
> > the meantime to silence the logging...)
> yep, its unfortunate but we have to live with it

Does this also happen with AppArmor 2.5? (Until now, I don't have a 
server with 2.5 running, therefore it isn't easy to test for me.)

> > If something in this mail is unclear, I can re-test it. Just notice
> > that the above information is recycled from a (non-public) bug
> > report that was sleeping for some weeks...
> ah, sorry to hear that.  I can put together a more detailed report if
> needed with links to the lkml discussions.

Your short summary is enough :-) - better invest the time to get this 
fixed in the kernel... (Now you can at least add a paragraph "We already 
get complaints from confused users." ;-)


Christian Boltz
hm. I've lost a machine.. literally _lost_. it responds to ping, it
works completely, I just can't figure out where in my apartment it is.

More information about the AppArmor mailing list