On 06/30/2013 02:56 AM, azurIt wrote: >>>>>>> Hi, >>>>>>> >>>>>>> i'm having problems with audit rule modifier - it's just not working >>>>>>> when used alone. I'm trying to enable only logging with this: >>>>>>> audit /home/** a, >>>>>>> audit /home/** w, >>>>>> By only logging you mean logging of an access but not granting >>>>>> permission? >>>>> >>>>> >>>>> I mean logging of an access AND granting permission. >>>>> >>>> ok, I just wanted to be sure as we have had misunderstandings before >>>> around audit, with people expecting it to only change the auditing >>>> behavior and not grant permissions. >>>> >>>> ie. audit /** w, >>>> >>>> as a rule to catch any writes regardless of what other rules are. It would >>>> be a nice ability to have but the language doesn't allow specifying only >>>> the audit behavior like this atm. >>>> >>>>> >>>>>> >>>>>>> >>>>>>> It should work according to documentation ( >>>>>>> http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers >>>>>>> ) but it's doing nothing. I was able to enable logging only with this >>>>>>> running in complain mode: >>>>>>> audit deny /home/**/*.php a, >>>>>>> audit deny /home/**/*.php w, >>>>>>> >>>>>> these two rules where necessary to get logging in complain mode? >>>>> >>>>> >>>>> Well, i just read in docs that 'w' implies also 'a', so only the second >>>>> line is necessary. But yes, i had to use 'audit deny' for logging to work >>>>> (and, as i want to NOT deny the action, i had to use complain mode). >>>>> >>>> Okay >>>> >>>>> >>>>>>> Audit alone it not working. Is this a known bug? Thanks. >>>>>>> >>>>>> It is not known. >>>>>> >>>>>> Can you send us the full profile you are using? >>>>> >>>>> >>>>> Here is the complete profile (i already removed that 'a' line and tested >>>>> it): >>>>> >>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>> network, >>>>> capability, >>>>> file, >>>>> audit deny /home/**/*.php w, >>>>> } >>>>> >>>>> >>>>> As i said, i'm running this in complain mode because i don't want to deny >>>>> the action on last line. I want to use apparmor only for logging access >>>>> to files via PHP (i will be processing that log later). >>>>> >>>> Can you please provide the following information to help as diagnose the >>>> problem. >>>> >>>> Kernel version: use the command uname -a >>>> Parser version: use the command apparmor_parser -v >>>> State dump from the compiler: use the command >>>> apparmor_parser -D dfa-states -QT profile_file 2>states_file >>>> >>>> Compiled output of your profile: use either of the following commands >>>> apparmor_parser -S profile_file > output_file >>>> apparmor_parser -o output_file profile_file >>>> >>>> * the -o version may not work on older parsers. >>>> * profile_name is the file name where your profile is stored >>>> * states_file and out_file are just file that the output will be dumped >>>> in. So that you can attach them >>> >>> Kernel version: 3.2.47 >>> Parser version: 2.7.103 (it was the -V switch) >> oops sorry >> >>> Client software are packages from Debian Wheezy running on Debian Squeeze. >>> I'm using my own kernel patched with grsecurity. >>> >> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu? > > > > It's vanilla kernel downloaded directly from kernel.org + grsecurity from > grsecurity.org. > > > > >>> Attaching 3 files from that 3 commands. Last two commands printed this >>> warning (probably ok): >>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing complain >>> mode >>> >> yes that is fine, but thanks for the heads up >> >>> To avoid misunderstanding: I'm currently using this profile (in complain >>> mode): >>> >>> /usr/lib/apache2/mpm-itk/apache2 { >>> network, >>> capability, >>> file, >>> audit deny /home/**/*.php w, >>> } >>> >>> >>> >>> But i WANT to use this profile (not in complain mode): >>> /usr/lib/apache2/mpm-itk/apache2 { >>> network, >>> capability, >>> file, >>> audit /home/**/*.php w, >>> } >>> >>> Logging is working only in the first one so i'm forced to use it instead of >>> second one. Hope i'm clear enough. Thank you. >>> >> Okay, the output of the compiler for the first one looks good, I still need >> to look at the kernel side (waiting for confirmation on the patchset there). >> >> Can you attach the same set of compiler out for the second profile (without >> the deny) so I can check it as well. > thanks
so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up in v3.4 looks like it might fix this for you. Also would you be interested in a backport version of apparmor to the 3.2 kernel? Basically we now have the current upstream v3.10 version backported to 3.2 as a drop in replacement (no abi changes, or touching the rest of the kernel tree). The 3.10 version has several bug fixes that are not present in the 3.2 kernel version. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
