[Apparmor-general] What does this audit log entry mean?

John Johansen jjohansen at suse.de
Mon Feb 2 13:51:06 MST 2009 

Christian Boltz wrote:
> Hello,
> 
> Am Montag, 2. Februar 2009 schrieb John Johansen:
>> Christian Boltz wrote:
>>> type=APPARMOR_ALLOWED msg=audit(1233365168.452:270):
>>> operation="inode_permission" info="Failed name resolution - object
>>> not a valid entry" error=-2 requested_mask="w::" denied_mask="w::"
>>> fsuid=30 pid=31893 profile="/usr/sbin/httpd2-prefork//vhost_foobar"
> 
>> -  name resolution fails because the pathname is too long.  If this
>>   were the case you would get an error=-12 (-ENOMEM).  If this 
>>   happens, you can increase the maximum path length size by writing a 
>>   byte value to /sys/modules/apparmor/parameters/path_max 
> 
> Not my error number ;-)
> 
Hehe, no and I put the wrong error number there too.  Its -36
(-ENAMETOLONG).  -ENOMEM happens when AppArmor couldn't allocate memory
for its name buffer, but if that happens your system is likely going to
be failing all kinds of things.

>> -  the mount point becomes disconnected.  This can happen due to lazy
>>    unmounts, or changing or namespace roots.
>>    What happens here is a apparmor retrieves a partial path and then
>>    can't connect it so it fails with an error=-2 (-ENOENT).  
> 
> This would match my error number - but I'm not aware of having umounted 
> any filesystem (or doing a server reboot etc.) at the time the above 
> event was logged. /var/log/messages also doesn't show anything usual 
> that would point to umount or reboot - the server was "just running" at 
> this time.
> 
> Could there be other reasons causing "error=-2"?
> 
Well there are only 2 possibilities.
1. a deleted file - it is possible that there is a bug and AppArmor is
   not handling this case correctly.
2. a mount point disconnected from the root.  This in turn has different
   causes.
   - lazy unmount
   - rotation of the root
   - an unshared bind mount
   - a change of namespace root but with files open that are no longer
     accessible from the new root.

To say what is going on for sure, I need more information.  If your
willing I can build a special 11.0 kernel with a patched AppArmor that
will provide more information.

More information about the Apparmor-general mailing list