AppArmor

aa-logprof doesn't recognize rules for denied permissions (no matching against variables)

Bug #1649294 reported by brian
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

aa-logprof seems to be ignoring rules already set in the policy as denied. If I set a rule as denied, the next time I run aa-logprof it asks about it again.

Tags: aa-tools
Revision history for this message
Christian Boltz (cboltz) wrote :

I know we had some of these bugs, but it depends on
- the rule type (file, capability, network, ...)
- the version of the AppArmor tools (I did quite some changes and fixes for each release)
- the rules you already have in your profile (for example, do they contain wildcars or variables?)

Can you please add some details about these things?

If in doubt, please attach your audit.log (or a sniplet from it that reproduces the bug), the affected profile and a "screenshot" of the aa-logprof run.

Revision history for this message
brian (knotwurk) wrote :

I'm running xubuntu 17.04, and I think I may have been mistaken about this. It seems fine now, and the problem was a combination of two things: the wrong permission being denied, and the @{HOME} variable not being recognized by aa-logprof (it's fine in apparmor though). That problem with @{HOME} still exists, although idk if you'd really call it a bug or a missing feature.

Christian Boltz (cboltz)
tags: added: aa-tools
summary: - aa-logprof doesn't recognize rules for denied permissions
+ aa-logprof doesn't recognize rules for denied permissions (no matching
+ against variables}
summary: aa-logprof doesn't recognize rules for denied permissions (no matching
- against variables}
+ against variables)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.