apparmor_parser --replace does not work
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
New
|
Undecided
|
Unassigned | ||
Bug Description
Problem:
When changing a permission in a profile and using "apparmor -r <profile>" to update it, the permissions are not applied to the currently running process.
The service has to be restarted to get the new permissions.
Versions:
AppArmor: 2.11.0
Kernel: 4.10.4
Glibc: 2.25
Python: 3.5.3
Perl: 5.24.1
Profile used: usr.bin.nginx
# vim:syntax=apparmor
#include <tunables/global>
/usr/bin/nginx {
#include <abstractions/base>
#include <abstractions/
#include <abstractions/nis>
#include <abstractions/
capability setgid,
capability setuid,
/etc/nginx/*.conf r,
/etc/
/etc/
/etc/
/run/nginx.pid rw,
/usr/bin/nginx mr,
/usr/
/var/log/nginx/* w,
# Site-specific additions and overrides. See local/README for details.
#include <local/
}
aa-status:
# aa-status
apparmor module is loaded.
7 profiles are loaded.
7 profiles are in enforce mode.
/usr/
/usr/bin/nginx
/usr/bin/php-fpm
/usr/bin/sshd
/usr/
dhcpcd
dhcpcd/
0 profiles are in complain mode.
7 processes have profiles defined.
7 processes are in enforce mode.
/usr/bin/nginx (2128)
/usr/bin/nginx (2129)
/usr/bin/php-fpm (783)
/usr/bin/php-fpm (1334)
/usr/bin/sshd (775)
/usr/bin/sshd (848)
dhcpcd (791)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
| Olivier Mauras (coredumb) wrote | #1 |
To give further details, this only happens on vanilla 4.10 kernel.
A 4.10 kernel with apparmor 3.6 backport doesn't not have this issue.