[apparmor] tomcat 8
Christian Boltz
apparmor at cboltz.de
Wed Mar 30 12:52:20 UTC 2016
Hello,
Am Mittwoch, 30. März 2016, 14:23:58 CEST schrieb Me Self:
> Im trying to profile tomcat 8 but the profile contains less rules than
> I would expect.
>
> This is what I do:
>
> sudo aa-genprof /usr/local/apache-tomcat-8.0.32/bin/catalina.sh
>
> Then start tomcat, load a page, stop tomcat.
I'd skip the "load a page" part on the first run to produce less
audit.log entries, and do a second run with loading a page.
> These rules seem to related to the script itself and not the JVM it's
> spawning. I also tried running aa-complain but it didnt add anything
> new to the profile.
>
> The syslog I see messages such as this (the webapp is ROOT.war). What
> does the /null-50 is the profile attr mean?
>
> [174402.483458] type=1400 audit(1459339942.803:1134393):
> apparmor="ALLOWED" operation="getattr"
> profile="/usr/local/apache-tomcat-8.0.32/bin/ catalina.sh//null-50"
> name="/usr/local/apache-tomcat-8.0.32/webapps/ROOT.war" pid=14365
> comm="java" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
The null-* means that something was executed (see comm="java") which
doesn't have execute permissions in the profile yet.
I'd guess you produced "too many" log events, and the audit.log was
rotated away before you were able to run aa-logprof on it.
You can use aa-logprof -f /var/log/audit/audit.log.1 to read the
last rotated-away logfile. Maybe it was rotated multiple times - the
timestamp of the older logs should tell.
Regards,
Christian Boltz
--
> So AJ, shall we online update the fix for your blog? :-)
I wouldn't just update for my blog - but it's Robert's as well ;-)
[> Stephan Binner and Andreas Jäger in
https://bugzilla.novell.com/show_bug.cgi?id=209387]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160330/b958369e/attachment-0001.pgp>
More information about the AppArmor
mailing list