[apparmor] Help with AppArmor Full System Policy
Abhishek Vijeev
abhishekvijeev at iisc.ac.in
Wed Aug 21 06:10:30 UTC 2019
Hi,
We have successfully confined init according to documentation on this page: https://gitlab.com/apparmor/apparmor/wikis/FullSystemPolicy, and verified that it is working with the help of ps -auxZ.
Currently, we are trying to confine system daemons/services. But sometimes the confinement doesn't work. For example, daemon colord-sane has the following profile:
profile init-systemd /lib/systemd/** flags=(complain) {
...
/usr/bin/colord/** cx -> colord_profile,
profile colord_profile flags=(complain) {
...
...
}
...
}
However the dmesg audit logs show the profile name for colord-sane as: 'init-systemd//colord_profile//null-/usr/lib/colord/colord-sane' (sample logs are attached for reference). We don't understand where the suffix 'null-/usr/lib/colord/colord-sane' originates from, since we have specified an explicit 'cx' transition for all files within /usr/bin/colord/. Due to this problem, we are unable to confine colord and a bunch of other processes.
Kindly let us know if there's any reason for this.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190821/cad5ea14/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dmesg_logs_sample.txt
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190821/cad5ea14/attachment.txt>
More information about the AppArmor
mailing list