On Fri, Oct 23, 2015 at 11:23:17PM +0200, SZIGETVÁRI János wrote: > [127951.664275] type=1400 audit(1445632556.846:970): apparmor="ALLOWED" > operation="file_mmap" > profile="/opt/syslog-ng/libexec/syslog-ng//null-47//null-48//null-4b" > name="/lib/x86_64-linux-gnu/libc-2.19.so" pid=2450 comm="cat" > requested_mask="mr" denied_mask="mr" fsuid=101 ouid=0
Hello Janos,
I don't know for certain what has happened here but because you're using a
..//null-xx//.. set of complain-mode profiles and the executable is 'cat'
(for this log line), it feels to me that the processes and their
confinements have gotten out of sync.
The aa-genprof and aa-logprof tools try to change existing process's
confinement based on answers to the execution questions, but this is not
perfect.
If this is the case, the most-foolprof way forward is usually to manually
unload all the ..//null-xx//.. profiles, stop the program, reload the
profile, and restart the program.
Something like this should unload all the ..//null-xx//.. profiles:
awk '/null-/ { print "profile " $1 " { }" };' <
/sys/kernel/security/apparmor/profiles | apparmor_parser --remove
Then apparmor_parser --reload /path/to/new/syslogng/profile
Then restart syslog-ng
Hopefully this will get you better / newer DENIED or ALLOWED logs to keep
iterating on the profile.
Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
