[apparmor] Apache mod_apparmor problem
Seth Arnold
seth.arnold at canonical.com
Wed Aug 7 18:12:47 UTC 2013
On Wed, Aug 07, 2013 at 02:29:01PM +0200, azurIt wrote:
> i'm trying to use mod_apparmor in Apache but every request is creating
> new profile inside kernel, which looks like this:
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1001
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1003
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1005
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1007
> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1009
>
> and so on. There are TONS of such profile after few weeks of running:
> 42775 profiles are in complain mode.
Hello,
John covered well how to prevent more from showing up, but if you need
to clean these up without a reboot, some quick and dirty shell scripts
like this may help you out:
for i in `seq 1 43000` ; do echo
"/usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-${i} { }" |
apparmor_parser --remove ; done
This just cleans up the top-level null profiles. That may or may not
be the bulk of your profiles left over, but hopefully this is a good
starting point. (If they get three or four levels deep, parsing
/sys/kernel/security/apparmor/profiles might be a lot faster.)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130807/e7572d48/attachment.pgp>
More information about the AppArmor
mailing list