[apparmor] issue with aa_change_profile when already in complain mode
Jeroen Ooms
jeroen.ooms at stat.ucla.edu
Tue Jul 17 19:17:25 UTC 2012
On Tue, Jul 17, 2012 at 9:10 PM, John Johansen
<john.johansen at canonical.com>wrote:
> the logs look correct, it will record that change_profile was targeting
> doesnotexist even if a learning profile is being created. I don't see any
> failures/errors reported with the log so apparmor thinks it completed the
> transition correctly.
>
It didn't... here some more log:
jeroen at jeroen-Ubuntu:/etc/apparmor.d$ sudo tail -f -n0 /var/log/kern.log
Jul 17 21:11:53 jeroen-Ubuntu kernel: [37530.763909] type=1400
audit(1342552313.246:690): apparmor="ALLOWED" operation="open" parent=9716
profile="/usr/bin/R" name="/proc/21822/attr/current" pid=21822 comm="R"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 17 21:11:53 jeroen-Ubuntu kernel: [37530.763921] type=1400
audit(1342552313.246:691): apparmor="ALLOWED" operation="change_profile"
parent=9716 profile="/usr/bin/R" pid=21822 comm="R" target="doesnotexist"
Jul 17 21:11:59 jeroen-Ubuntu kernel: [37537.235849] type=1400
audit(1342552319.718:692): apparmor="ALLOWED" operation="open" parent=9716
profile="/usr/bin/R" name="/proc/21822/attr/current" pid=21822 comm="R"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 17 21:11:59 jeroen-Ubuntu kernel: [37537.235863] type=1400
audit(1342552319.718:693): apparmor="ALLOWED" operation="change_profile"
parent=9716 profile="/usr/bin/R" pid=21822 comm="R" target="r-base"
Jul 17 21:12:08 jeroen-Ubuntu kernel: [37545.948146] type=1400
audit(1342552328.434:694): apparmor="ALLOWED" operation="open" parent=9716
profile="/usr/bin/R" name="/proc/21822/attr/current" pid=21822 comm="R"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 17 21:12:08 jeroen-Ubuntu kernel: [37545.948158] type=1400
audit(1342552328.434:695): apparmor="ALLOWED" operation="change_profile"
parent=9716 profile="/usr/bin/R" pid=21822 comm="R" target="r-compile"
I need to see more log messages to know what is happening. One question
> that comes to mind is which change_profile api are you using?
>
I am using aa_change_profile.
What exactly is the expected behavior when I change from a profile in
complain mode to another profile (which does not have a complain flag)?
Should it switch to the new profile in enforce mode or complain mode?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120717/286318f8/attachment-0001.html>
More information about the AppArmor
mailing list