[apparmor] AppArmor - dac_override questions

Seth Arnold seth.arnold at canonical.com
Sat Oct 24 00:00:28 UTC 2015

On Fri, Oct 23, 2015 at 11:23:17PM +0200, SZIGETVÁRI János wrote:
> [127951.664275] type=1400 audit(1445632556.846:970): apparmor="ALLOWED"
> operation="file_mmap"
> profile="/opt/syslog-ng/libexec/syslog-ng//null-47//null-48//null-4b"
> name="/lib/x86_64-linux-gnu/libc-2.19.so" pid=2450 comm="cat"
> requested_mask="mr" denied_mask="mr" fsuid=101 ouid=0

Hello Janos,

I don't know for certain what has happened here but because you're using a
..//null-xx//.. set of complain-mode profiles and the executable is 'cat'
(for this log line), it feels to me that the processes and their
confinements have gotten out of sync.

The aa-genprof and aa-logprof tools try to change existing process's
confinement based on answers to the execution questions, but this is not

If this is the case, the most-foolprof way forward is usually to manually
unload all the ..//null-xx//.. profiles, stop the program, reload the
profile, and restart the program.

Something like this should unload all the ..//null-xx//.. profiles:

awk '/null-/ { print "profile " $1 " { }" };' < /sys/kernel/security/apparmor/profiles | apparmor_parser --remove

Then apparmor_parser --reload /path/to/new/syslogng/profile
Then restart syslog-ng

Hopefully this will get you better / newer DENIED or ALLOWED logs to keep
iterating on the profile.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151023/c39c8f50/attachment.pgp>

More information about the AppArmor mailing list