Am 16.07.20 um 23:51 schrieb Seth Arnold: > On Thu, Jul 16, 2020 at 09:36:11PM +0200, [email protected] wrote: >> Instead, as you can see, apparmor reports: >> $ >> Name: usr/sbin/ModemManager >> Name: usr/sbin/NetworkManager >> $ >> $ >> Is this probably an error in rkhunter and not in apparmor? > > This is because rkhunter is executing in its own filesystem namespace for > whatever reason, and the LSM interface isn't passing to AppArmor > sufficient information for AppArmor to know the mountpoint that was used > to access those files. > > You can add flags=(attach_disconnected) near the start of the profile to > cause these accesses to be treated as if they were mounted at /. > > eg > > profile rkhunter /usr/bin/rkhunter flags=(attach_disconnected) { > /** r,
Thanks a lot ! That did the trick. And I just see, some profiles already use this flag, like usr.sbin.ntpd usr.sbin.apache2 and few others. Best regards -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
