Hello Some time ago - generally last year - I'd asked a question about netstat(8) and its AppArmor profile [1], which contains rules related to the IPv6 protocol, such as:
owner @{PROC}/*/net/tcp6 r, owner @{PROC}/*/net/udp6 r, owner @{PROC}/*/net/raw6 r, For now, I'm not using this protocol, so I was advised by Mr John Johansen [2] that: "if you aren't using ipv6 you should be able to drop them". According to His suggestion I removed these rules. But a one week ago I noticed (if I remember - during chkrootkit tests etc.), that system log files, for example, '/var/log/kern.log' contains: Jan 4 18:07:59 t4 kernel: [25051.745979] type=1400 audit(1483549679.968:46): apparmor="DENIED" operation="open" parent=3863 profile="/bin/netstat" name="/proc/4199/net/tcp6" pid=4199 comm="netstat" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jan 4 18:07:59 t4 kernel: [25051.746124] type=1400 audit(1483549679.968:47): apparmor="DENIED" operation="open" parent=3863 profile="/bin/netstat" name="/proc/4199/net/udp6" pid=4199 comm="netstat" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jan 4 18:07:59 t4 kernel: [25051.746190] type=1400 audit(1483549679.968:48): apparmor="DENIED" operation="open" parent=3863 profile="/bin/netstat" name="/proc/4199/net/raw6" pid=4199 comm="netstat" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 As we can see these DENIED entries are related to rules, which I've removed previously. So: are they needed or not? (I'm not using the IPv6 protocol.) Have I restore these rules back? Or maybe it's just an effect of a chkrootkit and I don't need to use rules related to IPv6 proto? What is your opinion on this one? I'm sorry for such naive questions. Best regards. _____________ [1] https://github.com/Harvie/AppArmor-Profiles/blob/master/bin.netstat [2] https://lists.ubuntu.com/archives/apparmor/2016-December/010329.html
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor