[apparmor] rkhunter profile oddities
mailinglisten at posteo.de
mailinglisten at posteo.de
Thu Jul 16 22:52:30 UTC 2020
Am 16.07.20 um 23:51 schrieb Seth Arnold:
> On Thu, Jul 16, 2020 at 09:36:11PM +0200, mailinglisten at posteo.de wrote:
>> Instead, as you can see, apparmor reports:
>> $
>> Name: usr/sbin/ModemManager
>> Name: usr/sbin/NetworkManager
>> $
>> $
>> Is this probably an error in rkhunter and not in apparmor?
>
> This is because rkhunter is executing in its own filesystem namespace for
> whatever reason, and the LSM interface isn't passing to AppArmor
> sufficient information for AppArmor to know the mountpoint that was used
> to access those files.
>
> You can add flags=(attach_disconnected) near the start of the profile to
> cause these accesses to be treated as if they were mounted at /.
>
> eg
>
> profile rkhunter /usr/bin/rkhunter flags=(attach_disconnected) {
> /** r,
Thanks a lot !
That did the trick.
And I just see, some profiles already use this flag, like usr.sbin.ntpd
usr.sbin.apache2 and few others.
Best regards
More information about the AppArmor
mailing list