Hi All, Systemd provides this variable *AppArmorProfile=* for the unit files
I have enabled Apparmor support in systemd and confirmed it is enabled as per below output. # systemctl --version systemd 250 (250.5+) -PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4 -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid *test.service* [Service] Type=forking WorkingDirectory=/usr/local/ *AppArmorProfile=-foo* ExecStart=/usr/bin/test Restart=on-failure During boot-up, profile "foo" is NOT loaded while executing test.service. However, I am observing below logs grep -rni DENIED /var/logs/messages.txt 431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="foo" pid=2970 comm="(sh)" As per my understanding, if prefixed by "-", all errors will be ignored. But I am still observing the above logs. Do we need to update this line *AppArmorProfile=-foo* in the unit file? I would like to understand the difference between *AppArmorProfile=foo , * *AppArmorProfile=-foo ? *It looks to me, both behave the same. Please share your views. Thanks Murali.S On Tue, Jan 30, 2024 at 10:05 PM Murali Selvaraj < [email protected]> wrote: > Hi All, > > Systemd provides this variable *AppArmorProfile=* for the unit files > > I have enabled Apparmor support in systemd and confirmed it is enabled as > per below output. > > # systemctl --version > systemd 250 (250.5+) > -PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS > -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD > -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4 > -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT > default-hierarchy=hybrid > > *test.service* > [Service] > Type=forking > WorkingDirectory=/usr/local/ > *AppArmorProfile-=foo* > ExecStart=/usr/bin/test > Restart=on-failure > > During boot-up, profile "foo" is NOT loaded while executing > test.service. However, I am observing below logs > > grep -rni DENIED /var/logs/messages.txt > 431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2): > apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 > profile="unconfined" name="foo" pid=2970 comm="(sh)" > > As per my understanding, if prefixed by "-", all errors will be ignored. > But I am still observing the above logs. > Do we need to update this line *AppArmorProfile-=foo* in the unit file? > > I would like to understand the difference between *AppArmorProfile=foo > , * *AppArmorProfile-=foo ?* > > Please share your views. > > Thanks > Murali.S > >
