[apparmor] What's the 'd' flag?

John Johansen john.johansen at canonical.com
Tue Jun 17 00:31:23 UTC 2014

On 06/16/2014 05:26 PM, Aaron Lewis wrote:
> Hi,
> Take a look at the following message
> [  760.181424] type=1400 audit(xxxxxxx:113): apparmor="ALLOWED"
> operation="unlink" parent=1 profile="/usr/sbin/php5-fpm"
> name="/run/php5-fpm.sock" pid=1340 comm="php5-fpm" requested_mask="d"
> denied_mask="d" fsuid=0 ouid=0
> I tried to set the 'd' flag in the profile but it caused a syntax error
> (Running Ubuntu 12.04 everything up-to-date)

The kernel is tracking a wider permission set than the current userspace
policy uses. The d flag is deleted, and the c flag is create, both of
those currently map to the write permission in userspace policy.

There are plans to enable specifying a finer permission set in userspace
when needed but that work is not ready yet

More information about the AppArmor mailing list