Public bug reported:
Applies to: Ubuntu 10.04 with
Linux station1 2.6.32-40-generic #87-Ubuntu SMP Tue Mar 6 00:56:56 UTC 2012
x86_64 GNU/Linux
# apt-cache policy apparmor
apparmor:
Installiert: 2.5.1-0ubuntu0.10.04.3
Kandidat: 2.5.1-0ubuntu0.10.04.3
Logprof/Genprof may be used to generate new apparmor profiles.
Logprof/Genprof read /var/log/audit/audit.log or /var/log/syslog and convert
AppArmor-logs into AppArmor rules for the profiles.
Logprof/Genprof ignore some AppArmor messages and the resulting profiles are
therefore missing some rules!
In our tests this happened with messages concerning the unlinking of file
sockets and pid-files. This can easily be reproduced by removing the supplied
mysqld-profile and recreating it from scratch with genprof /usr/sbin/mysqld.
The following message in the log files is ignored:
type=APPARMOR_DENIED msg=audit(1333625359.497:1157): operation="unlink"
pid=3323 parent=1 profile="/usr/sbin/mysqld" requested_mask="d::"
denied_mask="d::" fsuid=116 ouid=116 name="/var/run/mysqld/mysqld.sock"
Running logprof on the audit-log does not add the rule either:
# logprof /usr/sbin/mysqld
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Another example is Rsyslogd. Create a profile from scratch and the unlinking
the pid file is not honored:
type=APPARMOR_DENIED msg=audit(1333626051.867:1283): operation="unlink"
pid=4984 parent=1 profile="/usr/sbin/rsyslogd" requested_mask="::d"
denied_mask="::d" fsuid=101 ouid=0 name="/var/run/rsyslogd.pid"
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/974165
Title:
logprof/genprof skip logmessages concerning unlink
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/974165/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
