[apparmor] rkhunter profile oddities
mailinglisten at posteo.de
mailinglisten at posteo.de
Thu Jul 16 19:36:11 UTC 2020
Hi there!
I created a very simple profile to confine rkhunter (version numbers below).
This profile contains /** r, to be sure, everything can be read by
rkhunter.
Despite using /** r, I get plenty of these error messages:
Profile: /usr/bin/rkhunter
Operation: getattr
Name: usr/sbin/ModemManager
Denied: r
Logfile: /var/log/audit/audit.log
(3 found, most recent from 'Thu Jul 16 19:51:22 2020')
Profile: /usr/bin/rkhunter
Operation: getattr
Name: usr/sbin/NetworkManager
Denied: r
Logfile: /var/log/audit/audit.log
(3 found, most recent from 'Thu Jul 16 19:51:22 2020')
What you can see, at "Name" there is the slash missing, it should be
Name: /usr/sbin/ModemManager
Name: /usr/sbin/NetworkManager
Instead, as you can see, apparmor reports:
Name: usr/sbin/ModemManager
Name: usr/sbin/NetworkManager
Is this probably an error in rkhunter and not in apparmor?
My guess is, rkhunter tries to access files like
usr/sbin/ModemManager
usr/sbin/NetworkManager
usr/lib/upower/upowerd
usr/lib/bluetooth/bluetoothd
without the leading slash.
What do you think, broken rkhunter, forgetting the leading slash?
Versions used:
apparmor-parser, apparmor-utils 2.13.4
Kernel 5.7.7
rkhunter 1.4.6
Thanks!
More information about the AppArmor
mailing list