On 1/30/24 19:54, Murali Selvaraj wrote:
Hi All,
Systemd provides this variable *AppArmorProfile=* for the unit files
I have enabled Apparmor support in systemd and confirmed it is enabled as per
below output.
# systemctl --version
systemd 250 (250.5+)
-PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS -OPENSSL
-ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP
+LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4 -XZ -ZLIB +ZSTD
-BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid
*test.service*
[Service]
Type=forking
WorkingDirectory=/usr/local/
*AppArmorProfile=-foo*
ExecStart=/usr/bin/test
Restart=on-failure
During boot-up, profile "foo" is NOT loaded while executing test.service.
However, I am observing below logs
grep -rni DENIED /var/logs/messages.txt
431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2): apparmor="DENIED" operation="change_onexec"
info="label not found" error=-2 profile="unconfined" name="foo" pid=2970 comm="(sh)"
As per my understanding, if prefixed by "-", all errors will be ignored. But I
am still observing the above logs.
Do we need to update this line *AppArmorProfile=-foo* in the unit file?
I would like to understand the difference between *AppArmorProfile=foo , *
*AppArmorProfile=-foo ? *It looks to me,**both behave the same.
quoting systemd documentation
The argument passed should be an absolute filename or wildcard expression, optionally
prefixed with "-", which indicates that if the file does not exist, it will not
be read and no error or warning message is logged.
In the case of AppArmorProfile systemd will ignore an error if it happens, and
systemd won't log the error.
The above error is being logged by the apparmor in the kernel, by systemd
trying to use change_onexec for a profile that doesn't exist. This error will
be returned to systemd, and then systemd subsequently ignores it and doesn't
fail the unit or do any logging of its own.
To stop logging of the above message you would need to confine systemd with a
profile, and the profile would need to be directed to not log denials for
change profile.
Please share your views.
Thanks
Murali.S
On Tue, Jan 30, 2024 at 10:05 PM Murali Selvaraj <[email protected]
<mailto:[email protected]>> wrote:
Hi All,
Systemd provides this variable *AppArmorProfile=* for the unit files
I have enabled Apparmor support in systemd and confirmed it is enabled as
per below output.
# systemctl --version
systemd 250 (250.5+)
-PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS
-OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD
-LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4 -XZ
-ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid
*test.service*
[Service]
Type=forking
WorkingDirectory=/usr/local/
*AppArmorProfile-=foo*
ExecStart=/usr/bin/test
Restart=on-failure
During boot-up, profile "foo" is NOT loaded while executing test.service.
However, I am observing below logs
grep -rni DENIED /var/logs/messages.txt
431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2): apparmor="DENIED" operation="change_onexec"
info="label not found" error=-2 profile="unconfined" name="foo" pid=2970 comm="(sh)"
As per my understanding, if prefixed by "-", all errors will be ignored.
But I am still observing the above logs.
Do we need to update this line *AppArmorProfile-=foo* in the unit file?
I would like to understand the difference between *AppArmorProfile=foo , *
*AppArmorProfile-=foo ?*
Please share your views.
Thanks
Murali.S
