On 07/08/2019 05:34, John Johansen wrote: > name="apparmor/.null" says that it is an fd that was inherited and apparmor > did a > revalidation on it and the access was denied so the fd was duped to a special > null > device files instead of out right closing it (there are good reasons for > doing this). > > So you will need to look back in your log for an apparmor=DENIED message, with > operation="file_inherit" that should give you the actual file in this case. Ok, I see. > > I should note that on newer kernels we don't generally audit apparmor/.null so > you will only get the file_inherit denial logged. > I have 5.2.6 kernel and usually I use the latest stable.
I have another question, what about this message? kernel: [42605.998291][ T22] audit: type=1400 audit(1565176324.321:851): apparmor="ALLOWED" \ operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="userdel" \ name="" pid=24997 comm="userdel" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Here *name=""* is empty. So what about this case?
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
