[apparmor] AppArmor - dac_override questions
Seth Arnold
seth.arnold at canonical.com
Sat Oct 24 00:00:28 UTC 2015
On Fri, Oct 23, 2015 at 11:23:17PM +0200, SZIGETVÁRI János wrote:
> [127951.664275] type=1400 audit(1445632556.846:970): apparmor="ALLOWED"
> operation="file_mmap"
> profile="/opt/syslog-ng/libexec/syslog-ng//null-47//null-48//null-4b"
> name="/lib/x86_64-linux-gnu/libc-2.19.so" pid=2450 comm="cat"
> requested_mask="mr" denied_mask="mr" fsuid=101 ouid=0
Hello Janos,
I don't know for certain what has happened here but because you're using a
..//null-xx//.. set of complain-mode profiles and the executable is 'cat'
(for this log line), it feels to me that the processes and their
confinements have gotten out of sync.
The aa-genprof and aa-logprof tools try to change existing process's
confinement based on answers to the execution questions, but this is not
perfect.
If this is the case, the most-foolprof way forward is usually to manually
unload all the ..//null-xx//.. profiles, stop the program, reload the
profile, and restart the program.
Something like this should unload all the ..//null-xx//.. profiles:
awk '/null-/ { print "profile " $1 " { }" };' < /sys/kernel/security/apparmor/profiles | apparmor_parser --remove
Then apparmor_parser --reload /path/to/new/syslogng/profile
Then restart syslog-ng
Hopefully this will get you better / newer DENIED or ALLOWED logs to keep
iterating on the profile.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151023/c39c8f50/attachment.pgp>
More information about the AppArmor
mailing list