aa-complain only works if profile is named precisely for executable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Medium
|
Unassigned |
Bug Description
I made a new executable with Python virtualenv, and tried to set it to complain mode, but it ended up in enforce mode:
~ $ pwd
/home/ned
~ $ virtualenv python-secured
New python executable in python-
Installing distribute.
Installing pip....
~ $ pushd /etc/apparmor.d/
/etc/apparmor.d ~ /etc/apparmor.d
/etc/apparmor.d $ sudo vim home.ned.
[sudo] password for ned:
/etc/apparmor.d $ cat home.ned.
#include <tunables/global>
/home/ned/
#include <abstractions/base>
/home/
/home/
/usr/
/usr/
/usr/
/tmp/** rix,
}
/etc/apparmor.d $ sudo apparmor_status
apparmor module is loaded.
24 profiles are loaded.
24 profiles are in enforce mode.
/home/
/sbin/dhclient
/usr/bin/evince
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/sbin/cupsd
/usr/sbin/mysqld
/usr/
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
/sbin/dhclient (21292)
/usr/
/usr/sbin/cupsd (684)
/usr/sbin/mysqld (889)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
/etc/apparmor.d $ sudo aa-complain /home/ned/
/etc/apparmor.d $ sudo apparmor_status
apparmor module is loaded.
24 profiles are loaded.
24 profiles are in enforce mode.
/home/
/sbin/dhclient
/usr/bin/evince
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/sbin/cupsd
/usr/sbin/mysqld
/usr/
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
/sbin/dhclient (21292)
/usr/
/usr/sbin/cupsd (684)
/usr/sbin/mysqld (889)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
/etc/apparmor.d $ sudo invoke-rc.d apparmor reload
* Reloading AppArmor profiles Skipping profile in /etc/apparmor.
Skipping profile in /etc/apparmor.
/etc/apparmor.d $ sudo apparmor_status
apparmor module is loaded.
25 profiles are loaded.
25 profiles are in enforce mode.
/home/
/home/
/sbin/dhclient
/usr/bin/evince
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/sbin/cupsd
/usr/sbin/mysqld
/usr/
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
/sbin/dhclient (21292)
/usr/
/usr/sbin/cupsd (684)
/usr/sbin/mysqld (889)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
/etc/apparmor.d $
The problem was diagnosed by cboltz in the #apparmor IRC channel: my profile was named incorrectly. Once I named it to home.ned.
/etc/apparmor.d $ sudo mv home.ned.
/etc/apparmor.d $ sudo invoke-rc.d apparmor reload
* Reloading AppArmor profiles Skipping profile in /etc/apparmor.
Skipping profile in /etc/apparmor.
/etc/apparmor.d $ sudo aa-complain /home/ned/
Setting /home/ned/
/etc/apparmor.d $ sudo apparmor_status
apparmor module is loaded.
25 profiles are loaded.
24 profiles are in enforce mode.
/home/
/sbin/dhclient
/usr/bin/evince
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/sbin/cupsd
/usr/sbin/mysqld
/usr/
1 profiles are in complain mode.
/home/
4 processes have profiles defined.
4 processes are in enforce mode.
/sbin/dhclient (21292)
/usr/
/usr/sbin/cupsd (684)
/usr/sbin/mysqld (889)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
It was not at all clear to me that the actual filename of the profile in apparmor.d mattered, since the profile contains the file path to the executable within it. And most of AppArmor works no matter what the filename.
At the very least, aa-complain could have complained! :)
Changed in apparmor: | |
status: | New → Confirmed |
tags: | added: aa-tools |
Changed in apparmor: | |
importance: | Undecided → Medium |
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
Short status update: with the new python utils, I get at least an error message:
python3 aa-complain true # "hidden" in /etc/apparmor. d/some. profile
Profile for /usr/bin/true not found, skipping
For comparison: aa-cleanprof finds the profile.