>>>>>>>> Hi, >>>>>>>> >>>>>>>> i'm having problems with audit rule modifier - it's just not working >>>>>>>> when used alone. I'm trying to enable only logging with this: >>>>>>>> audit /home/** a, >>>>>>>> audit /home/** w, >>>>>>> By only logging you mean logging of an access but not granting >>>>>>> permission? >>>>>> >>>>>> >>>>>> I mean logging of an access AND granting permission. >>>>>> >>>>> ok, I just wanted to be sure as we have had misunderstandings before >>>>> around audit, with people expecting it to only change the auditing >>>>> behavior and not grant permissions. >>>>> >>>>> ie. audit /** w, >>>>> >>>>> as a rule to catch any writes regardless of what other rules are. It >>>>> would be a nice ability to have but the language doesn't allow specifying >>>>> only the audit behavior like this atm. >>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>> It should work according to documentation ( >>>>>>>> http://wiki.apparmor.net/index.php/QuickProfileLanguage#Rule_Modifiers >>>>>>>> ) but it's doing nothing. I was able to enable logging only with this >>>>>>>> running in complain mode: >>>>>>>> audit deny /home/**/*.php a, >>>>>>>> audit deny /home/**/*.php w, >>>>>>>> >>>>>>> these two rules where necessary to get logging in complain mode? >>>>>> >>>>>> >>>>>> Well, i just read in docs that 'w' implies also 'a', so only the second >>>>>> line is necessary. But yes, i had to use 'audit deny' for logging to >>>>>> work (and, as i want to NOT deny the action, i had to use complain mode). >>>>>> >>>>> Okay >>>>> >>>>>> >>>>>>>> Audit alone it not working. Is this a known bug? Thanks. >>>>>>>> >>>>>>> It is not known. >>>>>>> >>>>>>> Can you send us the full profile you are using? >>>>>> >>>>>> >>>>>> Here is the complete profile (i already removed that 'a' line and tested >>>>>> it): >>>>>> >>>>>> /usr/lib/apache2/mpm-itk/apache2 { >>>>>> network, >>>>>> capability, >>>>>> file, >>>>>> audit deny /home/**/*.php w, >>>>>> } >>>>>> >>>>>> >>>>>> As i said, i'm running this in complain mode because i don't want to >>>>>> deny the action on last line. I want to use apparmor only for logging >>>>>> access to files via PHP (i will be processing that log later). >>>>>> >>>>> Can you please provide the following information to help as diagnose the >>>>> problem. >>>>> >>>>> Kernel version: use the command uname -a >>>>> Parser version: use the command apparmor_parser -v >>>>> State dump from the compiler: use the command >>>>> apparmor_parser -D dfa-states -QT profile_file 2>states_file >>>>> >>>>> Compiled output of your profile: use either of the following commands >>>>> apparmor_parser -S profile_file > output_file >>>>> apparmor_parser -o output_file profile_file >>>>> >>>>> * the -o version may not work on older parsers. >>>>> * profile_name is the file name where your profile is stored >>>>> * states_file and out_file are just file that the output will be dumped >>>>> in. So that you can attach them >>>> >>>> Kernel version: 3.2.47 >>>> Parser version: 2.7.103 (it was the -V switch) >>> oops sorry >>> >>>> Client software are packages from Debian Wheezy running on Debian Squeeze. >>>> I'm using my own kernel patched with grsecurity. >>>> >>> Okay, is this kernel derived from Debian Wheezy, upstream, ubuntu? >> >> >> >> It's vanilla kernel downloaded directly from kernel.org + grsecurity from >> grsecurity.org. >> >> >> >> >>>> Attaching 3 files from that 3 commands. Last two commands printed this >>>> warning (probably ok): >>>> Warning: found apache2 in /etc/apparmor.d/force-complain, forcing complain >>>> mode >>>> >>> yes that is fine, but thanks for the heads up >>> >>>> To avoid misunderstanding: I'm currently using this profile (in complain >>>> mode): >>>> >>>> /usr/lib/apache2/mpm-itk/apache2 { >>>> network, >>>> capability, >>>> file, >>>> audit deny /home/**/*.php w, >>>> } >>>> >>>> >>>> >>>> But i WANT to use this profile (not in complain mode): >>>> /usr/lib/apache2/mpm-itk/apache2 { >>>> network, >>>> capability, >>>> file, >>>> audit /home/**/*.php w, >>>> } >>>> >>>> Logging is working only in the first one so i'm forced to use it instead >>>> of second one. Hope i'm clear enough. Thank you. >>>> >>> Okay, the output of the compiler for the first one looks good, I still need >>> to look at the kernel side (waiting for confirmation on the patchset there). >>> >>> Can you attach the same set of compiler out for the second profile (without >>> the deny) so I can check it as well. >> >thanks > >so commit ade3ddc01e2e426cc24c744be85dcaad4e8f8aba which first showed up in >v3.4 looks like it might fix this for you. > >Also would you be interested in a backport version of apparmor to the 3.2 >kernel? Basically we now have the current upstream v3.10 version backported to >3.2 as a drop in replacement (no abi changes, or touching the rest of the >kernel tree). The 3.10 version has several bug fixes that are not present in >the 3.2 kernel version.
This would be really cool if you'll be so kind :) I cannot move out from 3.2 yet because of grsecurity (stable version is currently for 3.2). Thank you! azur -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
