AppArmor

aa-logprof does nothing while dmesg shows some denies

Bug #1724092 reported by Dima on 2017-10-16

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

1) Lubuntu 17.10 (development)
2) apparmor-utils: 2.11.0-2ubuntu17
3) I'd like to fix the denies
4) aa-logprof exits with ok status without questions

{
root@user:~# aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
}

{
root@user:~# dmesg |tail
[ 5414.555628] audit: type=1400 audit(1508192162.782:159): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=1222 comm="smartd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5414.555635] audit: type=1400 audit(1508192162.782:160): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=1222 comm="smartd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5414.660240] audit: type=1400 audit(1508192162.888:161): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=1222 comm="smartd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5414.660252] audit: type=1400 audit(1508192162.888:162): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=1222 comm="smartd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5414.660499] audit: type=1400 audit(1508192162.888:163): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=1222 comm="smartd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5414.660509] audit: type=1400 audit(1508192162.888:164): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=1222 comm="smartd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5473.363665] audit: type=1400 audit(1508192221.591:165): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=19227 comm="cron" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5473.363679] audit: type=1400 audit(1508192221.591:166): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=19227 comm="cron" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5473.364894] audit: type=1400 audit(1508192221.592:167): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=19228 comm="cron" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5473.377444] audit: type=1400 audit(1508192221.605:168): apparmor="ALLOWED" operation="sendmsg" profile="syslogd" name="/dev/log" pid=19227 comm="cron" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
}

I had some problems with rsyslog and I have installed inetutils-syslogd. Maybe this is why.

See original description

Tags:

Dima (dima2017) on 2017-10-16

description:

updated

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-10-16:

Hi Dima, are these entries in /var/log/syslog ? What do those lines look like?

Thanks

Revision history for this message

Dima (dima2017) wrote on 2017-10-17:

syslog.1 Edit (493.6 KiB, text/plain)

Hi, Seth, these entries was from dmesg. I am attaching my syslog.1 (Because I've just remove inetutils-syslogd and install rsyslog instead and that lines in dmesg (with /dev/log) are gone.)

Revision history for this message

Vincas Dargis (talkless) wrote on 2017-11-11:

I have similar issue on Kubuntu 17.10. Consider this denied message in audit log:

$ sudo fgrep -eDENIED /var/log/audit/audit.log -A2
type=AVC msg=audit(1510405906.890:426): apparmor="DENIED" operation="connect" profile="/usr/bin/dragon" pid=7338 comm="QDBusConnection" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-y2LWR0Es6j" peer="unconfined"
type=SYSCALL msg=audit(1510405906.890:426): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7f821b3c84b0 a2=17 a3=0 items=0 ppid=1382 pid=7338 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="QDBusConnection" exe="/usr/bin/dragon" key=(null)
type=PROCTITLE msg=audit(1510405906.890:426): proctitle=2F7573722F62696E2F647261676F6E002F686F6D652F76696E6361732F41747369756E74696D61692F6269676275636B62756E6E792E7765626D

Meanwhile aa-logprof prints nothing in that regard:

$ sudo aa-logprof
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.

Revision history for this message

Gold Star (goldstar611) wrote on 2018-03-05:

I have hit this problem in the past. Personal anecdotal note: I feel like aa-logprof "works better" with rsyslogd vs auditd. Especially when I set /proc/sys/kerne/printk_ratelimit and /proc/sys/kerne/printk_ratelimit_burst to 0 during the duration of my profiling.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

syslog.1 Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.