Hi there! I created a very simple profile to confine rkhunter (version numbers below).
This profile contains /** r, to be sure, everything can be read by rkhunter. Despite using /** r, I get plenty of these error messages: Profile: /usr/bin/rkhunter Operation: getattr Name: usr/sbin/ModemManager Denied: r Logfile: /var/log/audit/audit.log (3 found, most recent from 'Thu Jul 16 19:51:22 2020') Profile: /usr/bin/rkhunter Operation: getattr Name: usr/sbin/NetworkManager Denied: r Logfile: /var/log/audit/audit.log (3 found, most recent from 'Thu Jul 16 19:51:22 2020') What you can see, at "Name" there is the slash missing, it should be Name: /usr/sbin/ModemManager Name: /usr/sbin/NetworkManager Instead, as you can see, apparmor reports: Name: usr/sbin/ModemManager Name: usr/sbin/NetworkManager Is this probably an error in rkhunter and not in apparmor? My guess is, rkhunter tries to access files like usr/sbin/ModemManager usr/sbin/NetworkManager usr/lib/upower/upowerd usr/lib/bluetooth/bluetoothd without the leading slash. What do you think, broken rkhunter, forgetting the leading slash? Versions used: apparmor-parser, apparmor-utils 2.13.4 Kernel 5.7.7 rkhunter 1.4.6 Thanks! -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
