[apparmor] rkhunter profile oddities
Seth Arnold
seth.arnold at canonical.com
Thu Jul 16 21:51:25 UTC 2020
On Thu, Jul 16, 2020 at 09:36:11PM +0200, mailinglisten at posteo.de wrote:
> Instead, as you can see, apparmor reports:
>$
> Name: usr/sbin/ModemManager
> Name: usr/sbin/NetworkManager
>$
>$
> Is this probably an error in rkhunter and not in apparmor?
This is because rkhunter is executing in its own filesystem namespace for
whatever reason, and the LSM interface isn't passing to AppArmor
sufficient information for AppArmor to know the mountpoint that was used
to access those files.
You can add flags=(attach_disconnected) near the start of the profile to
cause these accesses to be treated as if they were mounted at /.
eg
profile rkhunter /usr/bin/rkhunter flags=(attach_disconnected) {
/** r,
...
}
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20200716/0af91dee/attachment.sig>
More information about the AppArmor
mailing list