[apparmor] About duplicate AVC audit entries
Vincas Dargis
vindrg at gmail.com
Thu Oct 5 18:31:37 UTC 2017
Hi,
I have just tried 4.14 kernel on Debian, and noticed some.. strange (at least for me) lines:
type=AVC msg=audit(1507226290.397:616): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/avahi-daemon"
pid=526 comm="avahi-daemon" family="unix" sock_type="stream" protocol=0 requested_mask="receive" denied_mask="receive"
type=AVC msg=audit(1507226290.397:616): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/avahi-daemon"
pid=526 comm="avahi-daemon" family="unix" sock_type="stream" protocol=0 requested_mask="receive" denied_mask="receive"
type=AVC msg=audit(1507226290.397:616): apparmor="ALLOWED" operation="recvmsg" profile="/usr/sbin/avahi-daemon" pid=526
comm="avahi-daemon" family="unix" sock_type="stream" protocol=0 requested_mask="receive" denied_mask="receive"
type=SYSCALL msg=audit(1507226290.397:616): arch=c000003e syscall=0 success=yes exit=0 a0=5 a1=7ffc322960de a2=1 a3=67
items=0 ppid=1 pid=526 auid=4294967295 uid=116 gid=119 euid=116 suid=116 fsuid=116 egid=119 sgid=119 fsgid=119
tty=(none) ses=4294967295 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" key=(null)
type=PROCTITLE msg=audit(1507226290.397:616): proctitle=2F7573722F7362696E2F61766168692D6461656D6F6E002D73
First two AVC entries `file_perm` are identical and then another with `recvmsg`, and only after SYSCALL/PROCTITLE.
I do not have a lot of AppArmor experience, though I would expect three AVC,SYSCALL,PROCTITLE sequences, rather than
this AVC,AVC,AVC,SYSCALL,PROCTITLE one.
Just curious.
More information about the AppArmor
mailing list