>On 08/07/2013 05:29 AM, azurIt wrote: >> Hi, >> >> i'm trying to use mod_apparmor in Apache but every request is creating new >> profile inside kernel, which looks like this: >> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1001 >> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1003 >> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1005 >> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1007 >> /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1009 >> >> and so on. There are TONS of such profile after few weeks of running: >> 42775 profiles are in complain mode. >> >> Am I doing something wrong? >> >your profile is in complain mode and it is not finding the requested >hat on its first attempt. > >Basically complain mode in apparmor is a learning mode instead of >rejecting requests that don't have permission it logs but allows >them (complains). Domain transitions are special in that when the >requested domain doesn't exist it could be because it needs to >be created yet, or it could be that the request needs to be >merged into the current profile. So apparmor creates a new null-XXX >profile that is used to track this request. > >These request profiles are piling up because there is a bug where >null-XXX profiles are not being garbage collected when no longer >in use. > >Change the profile into enforce mode, using the aa-enforce tool >on the file your apache profile is in (likely) > > aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-itk.appache2 > >or by manually adjusting be either deleting the symlink (if it >exists) to the profile file in > /etc/apparmor.d/complain > >or by either manually editing the profile to removing the complain >flag, eg. > > /usr/lib/apache2/mpm-itk/appache2 (complain) {...} > >would become > /usr/lib/apache2/mpm-itk/appache2 {...}
Cool, thank you for info :) azur -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor