Hi
I noticed some DENIED messages related to the Firefox 53. on 16.04.2 LTS
Release. Generally, there are AppArmor messages on every day. I would like
to ask a question about rules, which I need to add etc. Honestly, I'm a
little surprised, that there is so many DENIED actions. Here are these
Hello
I would like to ask a question about creating a Child Profile for an
utility to reporting a snapshot of the current processes - ps(1). My main
reason for doing something like this one, is to create a stricter Firefox
profile.
Let's see; default Firefox profile, for example shipped with
Hello
On Wed, Aug 2. I've asked a question about xfce4-dict - a client program,
for example, to query different dictionaries via internet connections etc.
And I've had a problem with some aa-status(8) command result. Namely with
"/usr/bin/enchant" and "/usr/bin/enchant-lsmod".
So, during
Hello Seth
>> The ..//null-.. profiles are created by the kernel when a process
>> in a complain-mode profile executes another program.
OK, I understand this, but the main xfce4-dict program was Enforced. The
"//null-" profiles were showed in aa-status(8) command result. (It
concerned the
Hello Seth
Thank You very, very much for an answer and suggestions. OK, I will include
. I think, that it can be found in every profile. But
maybe I'm wrong? Honestly, I haven't met with the lack of
yet. On the other side, I haven't probably seen many
profiles :- )
Thank You, best regards.
--
Hello Seth
>> Can you report where it came from? (...)
I'm pretty sure, that this profile was available after a fresh, default
16.04 install. I'm not using snap mechanism and I don't have any apps
installed that way:
[~]$ snap list
No snaps are installed yet. Try "snap install hello-world".
By
Hello Jamie
Remember that these evince profiles include abstractions/evince. This
> has:
>
>
>
Geez, I totally forgot about checking another abstractions! Sorry. I was
just amazed. That's all. Thank you for bringing my attention to it.
By the way; are these abstractions rules really
Hello
Today, I've noticed a strange issue with apparmor_parser(8) utility. I've
created manually a two files; lets say: 'usr.bin.1' and 'usr.lib.2' and
paste required AppArmor rules. Next, I wanted to put 'usr.bin.1' profile
into a "complain" mode via aa-complain(8) but there is an error related
Hello
In His answer about removing the profile etc., Mr. John Johansen wrote,
that "it is important to do removal before adding the symlink (...)" [see
1.]
However, according to the Ubuntu "AppArmor Community Help Wiki" [see 2.]
users should first make a symlink via ln(1) command and next use an
Hello Seth
Thank You for an answer and sorry for my naive, stupid questions and other
things.
>> Strictly speaking, even if you remove the ~/** rw, kinds of
>> rules from firefox's profile, you'll still be able to download to
>> any writable location in the profile. Doing any different would
>>
Hello
Today, during some work with, among others, AppArmor profiles, I noticed,
that a "default" netstat(8) profile probably needs one rule. By writing
"default", I mean this one, which can be found in e.g.
'apparmor-profiles/extras/' folder (under '/usr/share/doc/' directory) with
some additions
Hello
I'm writing this message, because I would like to, at last, finish
logrotate profile updates. It's near the end. I hope so. Please read my
post and help me with made a decisions. Especially with changing 'Ux' to
'PUx' mode for some rules and the matter of change access mode for
Hello Mr Simon
You have written about questioning myself about AppArmor denials and what
it's meaning for me and application etc. And I agree with you completely.
I've always trying to answer to these questions, when a new DENIED entries
appears in the logs. But that's not important here.
You
Hello.
A couple of days ago, Firefox has been updated to a new v58.0 version.
Since, then I started to notice many DENIED entries in a log files
such as '/var/log/syslog' etc. These entries, appears every few hours.
Here is how it looks like:
✗ apparmor="DENIED" operation="mknod"
Hello.
On Wed. Jan 31, I've created a thread about some issues with AppArmor
"DENIED" log entries after Firefox update to the v58 (please see: 1.)
Everything worked okay, even without adding a proper rules to the
profile, but I've decided to add something like this:
✗ apparmor="DENIED"
Hello.
I would like to ask a question about the glibc-needed files, that are
still missing in the 'abstractions/base' file. There is a bug report
on Launchpad reported by Mr Kees Cook on 2017-01-20 (see [1]). As we
can see, "Status" for a Xenial release is marked as "Fix Released" in
AppArmor
Hello.
A couple of days ago, I created an AppArmor profile for ArpON 3 (ng)
application. As we know, ArpON is a solution that make the ARP
protocol secure and help to avoid - for example - the Man In The
Middle (MITM) attack, the ARP spoofing, ARP cache poisoning or ARP
poison routing attack etc.
Hello Christian.
Geez, what a shame! Thank You for noticing such a stupid mistake.
That's what happen when you're in a hurry. Fixed. (I will check it
later by system reboot etc. Just to be 100% sure.)
However, in the past I've had an issue with apparmor_parser(8) and one
file from
Hello Mr Johansen.
Thank You very much for an answer. Unfortunately it seems, that
mentioned rule can not be added, by hand, to the 'abstractions/base'
file, because there are some problems with apparmor_parser(8) command.
I mean '/proc/$pid/{auxv, status}' rule etc. At first, I did not
notice
Hello.
A couple of weeks ago, Firefox has been updated to a new v59.0.1
version. (Yesterday, there was another update to v59.0.2 version). It
seems, that both updates are responsible for a new "DENIED" entries
related to the "dbus" event etc. Anyway, the first mentioned update
was pretty simple
Hello.
I'm sorry for such a long time without answer. So, after five, six days
of tests based on the removal (hashing) some rules e.g. 'ptrace', it
turned out, that these rules are needed. Firstly, after removing rules,
everything was okay - log files were rotated, informations logged etc.
Hello.
I'm sorry for such a long time without answer. So, after five, six days
of tests based on the removal (hashing) some rules e.g. 'ptrace', it
turned out, that these rules are needed. Firstly, after removing rules,
everything was okay - log files were rotated, informations logged etc.
Hello.
Two years ago, Mr Seth Arnold, Mr Christian Boltz and I, started to work on
Logrotate profile updates, because profile, which was then available did
not have many necessary rules etc. However, We managed to achieve a
satisfactory result (see 1.)
In the meantime - during various tests -
Hello Mr Strandboge.
First of all, I would like to thank You for your answer. Based on your
suggestions, I will add an 'owner' prefix to the rules etc. However, I
don't know what to do with rules for '/run/systemd/private' and 'net_admin'
capability, because You've written, that: "these two are
101 - 124 of 124 matches
Mail list logo
