[Apparmor-general] auditd logs allowed actions
Christian Boltz
apparmor at cboltz.de
Wed Jan 31 16:48:20 MST 2007
Hello,
another strange thing I see on two of two 10.2 servers ;-)
It seems auditd logs actions that are already allowed in the profile.
Or aa-logprof just thinks that it is already allowed in the profile...
The logfile is flooded with lots of messages:
type=APPARMOR msg=audit(1170284111.841:2552): REJECTING access to
syscall 'ptrace' (lsof(5506) profile /usr/sbin/fou4s
active /usr/sbin/fou4s)
(only the timestamp differs)
Oh, and I have switched the profile to complain mode before running the
command - I wonder why auditd logs "REJECTING" instead of "PERMITTING".
Switching the mode with aa-enforce or aa-complain doesn't change
anything regarding the log messages.
The profile:
# cat usr.sbin.fou4s
# vim:syntax=apparmor
# Last Modified: Wed Jan 31 12:22:43 2007
#include <tunables/global>
/usr/sbin/fou4s flags=(complain) {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability dac_override,
capability ipc_lock,
capability setgid,
capability setuid,
capability sys_ptrace,
/ r,
/bin/basename ixr,
/bin/bash ixr,
/bin/cat ixr,
/bin/cp ixr,
/bin/date ixr,
/bin/gawk ixr,
/bin/grep ixr,
/bin/hostname ixr,
/bin/ls ixmr,
/bin/lsmod r,
/bin/lsmod.static r,
/bin/mkdir ixr,
/bin/mktemp ixr,
/bin/mv ixr,
/bin/rm ixr,
/bin/rpm Ux,
/bin/sed ixr,
/bin/sort ixr,
/bin/stty ixr,
/bin/su ixr,
/bin/touch ixr,
/bin/uname ixr,
/boot/* rw,
/etc/SuSE-release r,
/etc/bash.bashrc.local r,
/etc/default/su r,
/etc/fou4s.conf r,
/etc/manpath.config r,
/etc/nntpserver r,
/etc/profile.d r,
/etc/rpm r,
/etc/slp.reg.d/bind.reg r,
/etc/slp.reg.d/ssh.reg r,
/etc/ssl/certs/** r,
/etc/sysconfig/console r,
/etc/sysconfig/language r,
/etc/sysconfig/mail r,
/etc/sysconfig/proxy r,
/etc/sysconfig/suseconfig r,
/etc/sysconfig/windowmanager r,
/etc/wgetrc r,
/lib/** r,
/lib/modules/** rw,
/proc r,
/proc/*/fd r,
/proc/*/maps r,
/proc/*/stat r,
/proc/locks r,
/proc/net/raw r,
/proc/net/raw6 r,
/proc/net/tcp r,
/proc/net/tcp6 r,
/proc/net/udp r,
/proc/net/udp6 r,
/proc/net/unix r,
/proc/version r,
/root/.Xauthority-c lrw,
/root/.Xauthority-l lrw,
/root/.netrc r,
/sbin/* r,
/sbin/SuSEconfig Ux,
/srv/www/htdocs/phpMyAdmin/** r,
/usr/** r,
/usr/X11R6/bin/xauth ixr,
/usr/X11R6/lib64/libX11.so.* mr,
/usr/X11R6/lib64/libXau.so.* mr,
/usr/X11R6/lib64/libXext.so.* mr,
/usr/X11R6/lib64/libXmuu.so.* mr,
/usr/bin/SuSE-release ixr,
/usr/bin/applydeltarpm Uxr,
/usr/bin/cut ixr,
/usr/bin/dircolors ixmr,
/usr/bin/dirname ixr,
/usr/bin/find ixr,
/usr/bin/fmt ixr,
/usr/bin/getopt ixr,
/usr/bin/gpg ixr,
/usr/bin/head ixr,
/usr/bin/lsof ixr,
/usr/bin/manpath ixr,
/usr/bin/newgrp ixr,
/usr/bin/recode ixr,
/usr/bin/seq ixr,
/usr/bin/sha1sum ixr,
/usr/bin/tr ixr,
/usr/bin/tty ixr,
/usr/bin/uniq ixr,
/usr/bin/wc ixr,
/usr/bin/wget ixr,
/usr/bin/which ixr,
/usr/bin/whoami ixr,
/usr/bin/xmlp.awk ixr,
/usr/lib/rpm/gnupg/* rw,
/usr/lib/rpm/rpmb ixr,
/usr/lib/rpm/rpmdumpheader ixr,
/usr/sbin/fou4s ixr,
/var/adm/fillup-templates/* r,
/var/cache/fou4s/** rw,
/var/lib/rpm/Name r,
/var/lib/rpm/Packages r,
/var/log/fou4s.log w,
/var/run/utmp rw,
}
Regards,
Christian Boltz
PS: This is more or less an experimental profile (fou4s is a tool to
install the latest updates, so the profile has to be generous).
However, I wanted to test if it is possible to profile such a
low-level application. (You can avoid "/ rw" if you run rpm
unconfined ;-)
--
> > Yes, give Henne some time, it was rather long yesterday...
> Oh im allowed to have a private life. Neato! 8)
See what you get him to think? We should stop these rumours now.
before you know it he wants an own opinion.
[>> Andreas Jaeger, > Henne Vogelsang and houghi in opensuse]
More information about the Apparmor-general
mailing list