On 8 August 2018 at 16:17, Michael Ströder <mich...@stroeder.com> wrote: > HI! > > I'm using uwsgi for starting WSGI Python apps. > > uwsgi itself is started with a systemd unit which also mandates that an > AppArmor profile is load for that unit. > > Although I'm using pretty tight AppAmor profiles everything works. > > Now I'd like to minimize the (false-positive?) messages AppArmor writes to > the audit service. > > For example during start of the systemd unit the following line is written > to audit log: > > type=AVC msg=audit(1533736326.584:30): apparmor="DENIED" operation="exec" > profile="web2ldap" name="/bin/bash" pid=1109 comm="uwsgi" requested_mask="x" > denied_mask="x" fsuid=29990 ouid=0 > > Now I really wonder why /bin/bash is accessed at all. The login shell of > this particular system account for the unit is /usr/sbin/nologin. > > In AppArmor I could simply mask this log message completely. But I'd > strongly prefer to see it in case an attacker trys to do something bad.
neither does systemd or uwsgi run bash. but without either the uwsgi .ini file or the systemd service file it's hard to tell what you're seeing -- damjan _______________________________________________ uWSGI mailing list uWSGI@lists.unbit.it http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
