On 8/31/20 9:09 PM, swarna latha wrote: > Yes Seth. > > My system works fine if the capability line is in the profile. > > Below are my two queries... > > 1. Is listing all the capabilities same as adding the "capability, " line. I > dont see the same behaviour. Listing all the capabs is not working, whereas > adding the capability, line works > 2. I am not able to identify the required capability from apparmor logs. > Ideally we should see it in the capable operation ? Is there any scenario > where > capability is used, and apparmor does not log it... >
the dedup cache can keep capabilities from being logged if the request has been encountered recently What kernel are you using? And are you willing to build or try a debug kernel? > Thanks, > Swarna > On Mon, Aug 31, 2020 at 11:26 PM Seth Arnold <[email protected] > <mailto:[email protected]>> wrote: > > On Mon, Aug 31, 2020 at 10:34:46PM -0400, swarna latha wrote: > > I am getting the complete set of libraries used by my process with > status= > > AUDIT, right from /etc/ld.so.cache. It looks to me as though the > profile is > > not applied, though i have rules allowing the /etc/ld.so cache access. > > > > As i have these file entries in my profile, i am not getting > > ALLOWED/DENIED, hence not able to regenerate the profile with these > events. > > Hello Swarna, so, is it the case that your system works fine when the > 'capability,' line is in the profile, but when you remove it and reload > the profile, the application doesn't start *and* doesn't log anything > different? > > Thanks > > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
