[apparmor] tomcat 8

[Christian Boltz]

Hello,

Am Mittwoch, 30. März 2016, 14:23:58 CEST schrieb Me Self:
> Im trying to profile tomcat 8 but the profile contains less rules than
> I would expect.
> 
> This is what I do:
> 
> sudo aa-genprof /usr/local/apache-tomcat-8.0.32/bin/catalina.sh
> 
> Then start tomcat, load a page, stop tomcat.

I'd skip the "load a page" part on the first run to produce less 
audit.log entries, and do a second run with loading a page.

> These rules seem to related to the script itself and not the JVM it's
> spawning. I also tried running aa-complain but it didnt add anything
> new to the profile.
> 
> The syslog I see messages such as this (the webapp is ROOT.war). What
> does the /null-50 is the profile attr mean?
> 
> [174402.483458] type=1400 audit(1459339942.803:1134393):
> apparmor="ALLOWED" operation="getattr"
> profile="/usr/local/apache-tomcat-8.0.32/bin/ catalina.sh//null-50"
> name="/usr/local/apache-tomcat-8.0.32/webapps/ROOT.war" pid=14365
> comm="java" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001

The null-* means that something was executed (see comm="java") which 
doesn't have execute permissions in the profile yet.

I'd guess you produced "too many" log events, and the audit.log was 
rotated away before you were able to run aa-logprof on it.

You can use   aa-logprof -f /var/log/audit/audit.log.1   to read the 
last rotated-away logfile. Maybe it was rotated multiple times - the 
timestamp of the older logs should tell.


Regards,

Christian Boltz
-- 
> So AJ, shall we online update the fix for your blog? :-)
I wouldn't just update for my blog - but it's Robert's as well ;-)
[> Stephan Binner and Andreas Jäger in
https://bugzilla.novell.com/show_bug.cgi?id=209387]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160330/b958369e/attachment-0001.pgp>