[apparmor] [profile] netstat(8): plenty of DENIED messages; repeated "target=*" value.
daniel curtis
sidetripping at gmail.com
Wed Jan 11 18:09:14 UTC 2017
Hello
Some time ago - generally last year - I'd asked a question about netstat(8)
and its AppArmor profile [1], which contains rules related to the IPv6
protocol, such as:
owner @{PROC}/*/net/tcp6 r,
owner @{PROC}/*/net/udp6 r,
owner @{PROC}/*/net/raw6 r,
For now, I'm not using this protocol, so I was advised by Mr John Johansen
[2] that: "if you aren't using ipv6 you should be able to drop them".
According to His suggestion I removed these rules.
But a one week ago I noticed (if I remember - during chkrootkit tests
etc.), that system log files, for example, '/var/log/kern.log' contains:
Jan 4 18:07:59 t4 kernel: [25051.745979] type=1400
audit(1483549679.968:46): apparmor="DENIED" operation="open" parent=3863
profile="/bin/netstat" name="/proc/4199/net/tcp6" pid=4199 comm="netstat"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 4 18:07:59 t4 kernel: [25051.746124] type=1400
audit(1483549679.968:47): apparmor="DENIED" operation="open" parent=3863
profile="/bin/netstat" name="/proc/4199/net/udp6" pid=4199 comm="netstat"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 4 18:07:59 t4 kernel: [25051.746190] type=1400
audit(1483549679.968:48): apparmor="DENIED" operation="open" parent=3863
profile="/bin/netstat" name="/proc/4199/net/raw6" pid=4199 comm="netstat"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
As we can see these DENIED entries are related to rules, which I've removed
previously. So: are they needed or not? (I'm not using the IPv6 protocol.) Have
I restore these rules back? Or maybe it's just an effect of a chkrootkit
and I don't need to use rules related to IPv6 proto?
What is your opinion on this one? I'm sorry for such naive questions.
Best regards.
_____________
[1] https://github.com/Harvie/AppArmor-Profiles/blob/master/bin.netstat
[2] https://lists.ubuntu.com/archives/apparmor/2016-December/010329.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170111/8e181f5a/attachment.html>
More information about the AppArmor
mailing list