[apparmor] Apache mod_apparmor problem
azurIt
azurit at pobox.sk
Wed Aug 7 18:01:06 UTC 2013
>On 08/07/2013 05:29 AM, azurIt wrote:
>> Hi,
>>
>> i'm trying to use mod_apparmor in Apache but every request is creating new profile inside kernel, which looks like this:
>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1001
>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1003
>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1005
>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1007
>> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1009
>>
>> and so on. There are TONS of such profile after few weeks of running:
>> 42775 profiles are in complain mode.
>>
>> Am I doing something wrong?
>>
>your profile is in complain mode and it is not finding the requested
>hat on its first attempt.
>
>Basically complain mode in apparmor is a learning mode instead of
>rejecting requests that don't have permission it logs but allows
>them (complains). Domain transitions are special in that when the
>requested domain doesn't exist it could be because it needs to
>be created yet, or it could be that the request needs to be
>merged into the current profile. So apparmor creates a new null-XXX
>profile that is used to track this request.
>
>These request profiles are piling up because there is a bug where
>null-XXX profiles are not being garbage collected when no longer
>in use.
>
>Change the profile into enforce mode, using the aa-enforce tool
>on the file your apache profile is in (likely)
>
> aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-itk.appache2
>
>or by manually adjusting be either deleting the symlink (if it
>exists) to the profile file in
> /etc/apparmor.d/complain
>
>or by either manually editing the profile to removing the complain
>flag, eg.
>
> /usr/lib/apache2/mpm-itk/appache2 (complain) {...}
>
>would become
> /usr/lib/apache2/mpm-itk/appache2 {...}
Cool, thank you for info :)
azur
More information about the AppArmor
mailing list