[Apparmor-general] permission denied at boot, but is fine later
on?
John Johansen
jjohansen at suse.de
Wed Oct 22 15:17:49 MDT 2008
Per Jessen wrote:
> This is an opensuse 11.0 system.
> On boot-up, I see the following message in the audit log:
>
> type=APPARMOR_DENIED msg=audit(1224667576.964:12):
> operation="inode_permission" requested_mask="rw::" denied_mask="r::"
> fsuid=0 name="/var/log/bwbemag" pid=2739 profile="/sbin/syslog-ng"
>
> I tried doing an aa-genprof on /sbin/syslog-ng, but that changed
> nothing. When I restarted syslog-ng, I didn't get another DENIED
> message.
> The apparmod profile is:
>
> /sbin/syslog-ng {
> [snip]
> /dev/log w,
> /dev/tty10 rw,
> /dev/xconsole rw,
> /etc/syslog-ng/* r,
> /etc/hosts.deny r,
> /etc/hosts.allow r,
> /sbin/syslog-ng mr,
> # chrooted applications
> @{CHROOT_BASE}/var/lib/*/dev/log w,
> @{CHROOT_BASE}/var/log/** w,
> @{CHROOT_BASE}/var/run/syslog-ng.pid krw,
> }
>
what does the full expanded profile look like?
> apparmor_parser -p /etc/apparmod.d/sbin.syslog-ng
> It looks like the permissions for /var/log should be rw, but why isn't
> this corrected by aa-genprof, and why isn't it a problem when I restart
> syslog-ng?
>
There are a few possibilities. While I haven't tested this with
syslog-ng, it is not unheard of that restart does something slightly
different than start. Also start and restart may do slightly different
things depending on what services are up or what files exist.
Some questions
- do you get the message when you boot your machine
- do you get the message if you run rcsyslog stop, rcsyslog start
instead of rcsyslog restart?
More information about the Apparmor-general
mailing list