[apparmor] change_profile permission denied
Jeroen Ooms
jeroen.ooms at stat.ucla.edu
Wed Jul 24 11:43:19 UTC 2013
I can't get the change_profile directive to work. I have two profiles
loaded, called ocpu-main and ocpu-exec. The ocpu_main profile should
allow to transition into the more restrictive ocpu-exec:
#include <tunables/global>
profile ocpu-main {
#include <opencpu.d/base>
#include <opencpu.d/server>
change_profile -> ocpu-exec,
}
In addition, the opencpu.d/server include contains:
@{PROC}/[0-9]*/attr/current rw,
So we should be good to go. however, when the process tries to make
the transision, it still fails with a permission denied:
Jul 24 13:36:59 Jeroen-Antec kernel: [13408.591656] type=1400
audit(1374665818.998:818): apparmor="DENIED"
operation="change_profile" parent=14654 profile="ocpu-main" pid=14655
comm="apache2" target="ocpu_exec"
There are no additional error messages in kern.log that give a hint on
why it fails. What am I doing wrong? I am using version whatever ships
with ubuntu raring.
More information about the AppArmor
mailing list