[Apparmor-general] requested_mask="rw::rwl" denied_mask="::l"

John Johansen jjohansen at suse.de
Sat Jul 26 23:51:30 MDT 2008 

Michael Varre wrote:
> Hello everyone, I am running BIND9 on Ubuntu 8.04.1 LTS and I seem to be
> getting this sometimes when i make a change in this dir.  The changes seem
> to get made properly, so i dont really understand why apparmor is
> complaining, or what the mask "::L" is.  RW seems to function properly. Any
> insight would be appreciated.  thanks!
> 
AppArmor controls link permissions separate from read/write, as hard
links create an alias.  the ::l is asking for additional permission to
create the specified link.

The ::l is an internal notation used to separate out the owner of the
permission request.  The format is similar to unix files user group
other, each being separated by a :  Except in apparmor it is

  owner permissions:extended ownership tests:other permissions

so
rw::  would read/write by the file owner
:rw:  would be read/write by an owner that met extended permission tests
(not enabled in 8.04)
::rw  would be read/write request for a file that is owned by some one
else, and not covered by the extended ownership test.


AppArmor link permissions
> 
> 
> [1203814.084586] audit(1216992077.708:67): type=1503 operation="inode_link"
> requested_mask="rw::rwl" denied_mask="::l"
so this is specifying that a link to a file not owned by the user is
being requested and rw permissions are required by the owner and by
tasks that aren't the files owner.

> name="/etc/bind/zones/slave/db-SStUCwoP"
name is the name of the link being created
> name2="/etc/bind/zones/slave/mydomain.com.hosts" pid=21683
name2 is the name of the target of the link

> profile="/usr/sbin/named" namespace="default"
> 
> 

The link rule you need to add is

/etc/bind/zones/slave/** l,

this can be read as allow links to be created in /etc/bind/zones/slave/**

this can be combined with the rw rule you already have to make
/etc/bind/zones/slave/** rwl,

This type of link rule allows the target of the link to be any file
(/**) as long as the permissions on the target are subset of the
permission on the created link.  This prevents links being made that can
elevate privilege.


For now you can ignore the owner/other information, but if your curious
they are present because AppArmor in 8.04 has the beginnings of owner
conditional rules that will be in the next AppArmor release, but they
are not fully supported by the tool set so they remain undocumented.

> 
> 
> Included is my usr.sbin.named apparmor conf......
> 
> 
> 
> /usr/sbin/named {
>   #include <abstractions/base>
>   #include <abstractions/nameservice>
> 
>   capability net_bind_service,
>   capability setgid,
>   capability setuid,
>   capability sys_chroot,
> 
>   # /etc/bind should be read-only for bind
>   # /var/lib/bind is for dynamically updated zone (and journal) files.
>   # /var/cache/bind is for slave/stub data, since we're not the origin of
> it.
>   # See /usr/share/doc/bind9/README.Debian.gz
>   /etc/bind/** r,
>   /var/lib/bind/** rw,
>   /var/cache/bind/** rw,
>   /etc/bind/zones/** rw,
>   /etc/bind/zones/slave/** rw,
> 
>   /proc/net/if_inet6 r,
>   /usr/sbin/named mr,
>   /var/run/bind/run/named.pid w,
>   # support for resolvconf
>   /var/run/bind/named.options r,
> }
> 
> 
>

More information about the Apparmor-general mailing list