[Bug 1700231] Re: 16.04 , apparmor denies dbus communications even with flags=(complain)
@sles the supported way to move the entire profile and all subprofiles into complain mode is via the aa-complain utility in the apparmor-utils package. You may find that easier than manually adjusting individual profile flags. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700231 Title: 16.04 , apparmor denies dbus communications even with flags=(complain) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1700231/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700231] Re: 16.04 , apparmor denies dbus communications even with flags=(complain)
@sles, yes, this is expected behavior. The child profile 'inside' is still a separate profile and therefore needs to have its own flags. Marking this bug as Invalid based on reporter's feedback. If you feel this is in error, please reopen. Thanks for filing a bug and please feel free to file bugs in the future. ** Changed in: apparmor (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700231 Title: 16.04 , apparmor denies dbus communications even with flags=(complain) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1700231/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700231] Re: 16.04 , apparmor denies dbus communications even with flags=(complain)
Well, may be this is not bug, but expected behaviour.
/etc/apparmor.d/usr.sbin.ejabberdctl
contains
/usr/sbin/ejabberdctl {
profile su {
...
}
}
I.e. there is profile su inside.
If I add:
/usr/sbin/ejabberdctl flags=(complain) {
it doesn't changeprofile su behaviour.
I have to add
profile su flags=(complain) {
then it works.
Problem here is that it breaks idea of scope, because profile su is _inside_,
but does not use flags from outside.
Thank you!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700231
Title:
16.04 , apparmor denies dbus communications even with flags=(complain)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1700231/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700231] Re: 16.04 , apparmor denies dbus communications even with flags=(complain)
Hello - Thanks for the bug report!
I'm unable to reproduce the behavior that you're experiencing. Please
include more information about your environment such as the apparmor
package version and kernel version (/proc/version_signature).
Here's how I tested:
$ cmd="dbus-send --print-reply --system --dest=org.freedesktop.DBus
--type=method_call /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
method return time=1498517150.253153 sender=org.freedesktop.DBus ->
destination=:1.58 serial=3 reply_serial=2
array [
string "org.freedesktop.DBus"
...
string ":1.19"
]
$ echo "profile complain-all flags=(complain) { }" | sudo apparmor_parser -qr
$ aa-exec -p complain-all -- $cmd
method return time=1498517219.310650 sender=org.freedesktop.DBus ->
destination=:1.59 serial=3 reply_serial=2
array [
string "org.freedesktop.DBus"
...
string ":1.19"
]
If AppArmor was denying D-Bus communications even with flags=(complain),
the `aa-exec -p complain-all -- $cmd` command would not have been able
to display the list of connected D-Bus clients.
Can you share how you came to the conclusion that AppArmor is
incorrectly denying D-Bus communications even when the profile is in
complain mode?
** Changed in: apparmor (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700231
Title:
16.04 , apparmor denies dbus communications even with flags=(complain)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1700231/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
