[apparmor] aa-genprof no longer works on my system

[Christian Boltz]

Hello,

Am Dienstag, 1. Januar 2013 schrieb Aaron Lewis:
> Seems that aa-genprof failed to parse the logs, it doesn't ask about
> "Allow/Glob/.." stuff, when I press "S" to scan the logs, it just show
> the same menu all the time,
> 
> Here's a snip of the log currently present, which is stored in
> /var/log/messages (I already changed logfiles to /var/log/messages in
> logprof.conf)
> 
> 2013-01-01T15:09:04.562575+08:00 localhost kernel: [ 1911.569682]
> type=1400 audit(1357024144.556:6368): apparmor="ALLOWED"
> operation="open" parent=5390
> profile="/usr/lib/virtualbox/VBoxSVC//null-2d"
> name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572

BTW: comm=... decodes to comm="ACPI Poller" (you can decode it with 
aa-decode)

> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

The utilities are not perfectly up to date, but in general they 
should[tm] work. However aa-genprof sometimes misses some log events  
( https://bugs.launchpad.net/apparmor/+bug/1014304 ) and especially exec 
seems to be a critical point. This is exactly what might have hit you - 
the log line you showed is the result of executing another program.

Fortunately aa-logprof usually works better. Does it work if you do the 
following? (/usr/bin/virtualbox is just a guess - replace as needed)

aa-complain /usr/bin/virtualbox   # [1]
# start and use /usr/bin/virtualbox
aa-logprof
aa-enforce /usr/bin/virtualbox   # [1]


Happy new year!

Christian Boltz

[1] aa-complain switches the profile to learning ("complain") mode 
    (that's what aa-genprof also does while running), and aa-enforce 
    disables the learning mode again to enforce the profile.

-- 
> Das hatte ich (samt Kommentar aus der /etc/postfix/transport) doch
> schon in meiner letzten Mail erklärt ... ;)
Sandy ist schuld ;-)
Erst mit seiner Erklärung ist mir aufgefallen, dass ich es nicht 
verstanden habe. [> David Haller und Peter Mc Donough in opensuse-de]