[apparmor] [Bug 974616] [NEW] mod_apparmor: no error message when requesting non-existing hat

Christian Boltz 974616 at bugs.launchpad.net
Thu Apr 5 20:23:18 UTC 2012 

Public bug reported:

- AppArmor 2.7.2 on openSUSE 12.1
- httpd2-prefork profile in complain mode
- using mod_apparmor with one hat per vhost (specified with AADefaultHatName)

mod_apparmor doesn't print/log any error message if the hat specified
with AADefaultHatName does not exist. Instead, I get tons of audit.log
entries for the DEFAULT_URI hat, for example

type=AVC msg=audit(1333446842.790:303110): apparmor="ALLOWED"
operation="file_perm" parent=13357
profile="/usr/sbin/httpd2-prefork//DEFAULT_URI"
name="/home/www/example.com/statistics/logs/access_log" pid=21888
comm="httpd2-prefork" requested_mask="w" denied_mask="w" fsuid=30 ouid=0

Expected behaviour:
Write some error message to audit.log or the apache error log if the hat specified in AADefaultHatName does not exist.

It would be even better if an audit.log entry would be written so that
logprof can propose to create the missing hat.

** Affects: apparmor
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/974616

Title:
  mod_apparmor: no error message when requesting non-existing hat

Status in AppArmor Linux application security framework:
  New

Bug description:
  - AppArmor 2.7.2 on openSUSE 12.1
  - httpd2-prefork profile in complain mode
  - using mod_apparmor with one hat per vhost (specified with AADefaultHatName)

  mod_apparmor doesn't print/log any error message if the hat specified
  with AADefaultHatName does not exist. Instead, I get tons of audit.log
  entries for the DEFAULT_URI hat, for example

  type=AVC msg=audit(1333446842.790:303110): apparmor="ALLOWED"
  operation="file_perm" parent=13357
  profile="/usr/sbin/httpd2-prefork//DEFAULT_URI"
  name="/home/www/example.com/statistics/logs/access_log" pid=21888
  comm="httpd2-prefork" requested_mask="w" denied_mask="w" fsuid=30
  ouid=0

  Expected behaviour:
  Write some error message to audit.log or the apache error log if the hat specified in AADefaultHatName does not exist.

  It would be even better if an audit.log entry would be written so that
  logprof can propose to create the missing hat.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/974616/+subscriptions

More information about the AppArmor mailing list