[apparmor] profiles cannot be deleted
John Johansen
john.johansen at canonical.com
Fri Dec 20 09:45:30 UTC 2013
On 12/20/2013 01:22 AM, Aaron Lewis wrote:
> Hi,
>
> I couldn't delete profiles, in aa-status I see bunches of lines like this,
>
> 188 profiles are in complain mode.
> /opt/cisco/anyconnect/bin/vpnagentd//null-1
> /opt/cisco/anyconnect/bin/vpnagentd//null-10
> /opt/cisco/anyconnect/bin/vpnagentd//null-11
> /opt/cisco/anyconnect/bin/vpnagentd//null-12
> /opt/cisco/anyconnect/bin/vpnagentd//null-13
> /opt/cisco/anyconnect/bin/vpnagentd//null-14
>
This are learning profiles that are created when a profile in complain mode
does an exec and the current profile does not have a rule to cover the
transition.
They where supposed to be auto-delete/remove profiles so that they would
be reaped as soon as the last reference to them was removed. However due to
current limitations in the ref counting that does not happen yet.
This is one of the things that should be fixed in the 3.0 release
> I have to reboot to clear them out.
>
if you do
echo -n "/opt/cisco/anyconnect/bin/vpnagentd/null-10" >/sys/kernel/security/apparmor/.remove
does this correctly remove the profile for you?
More information about the AppArmor
mailing list