AppArmor profile shows not confined
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
Hi,
I have created a profile for /usr/sbin/apache2(I am using multiple apache's).
Now, I have added a new script, which is getting blocked by apparmor profile and it gives apparmor denials. This is a expected behavior. And I understand the logic behind it.
The problem here is if I disable apparmor and then enable apparmor again. Everything start working fine.
- No denials, no issues.
When I run aa-unconfined, I see the below:
++++
5904 /usr/sbin/apache2 not confined
5908 /usr/sbin/apache2 not confined
5909 /usr/sbin/apache2 not confined
5910 /usr/sbin/apache2 not confined
5911 /usr/sbin/apache2 not confined
5912 /usr/sbin/apache2 not confined
6535 /usr/sbin/apache2 not confined
++++
If I check apparmor status, via aa-status... it shows running.
Also, cat /sys/kernel/
/usr/sbin/apache2 (enforce)
But I get /usr/sbin/apache2 is not confined, hence I get no denials.
If I restart apache service and then do a aa-unconfined, I see the below :
+++++
11021 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)'
11026 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)'
11027 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)'
11028 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)'
++++
Then I get the denials as expected.
Why is this behavior ? Why does the apache gets flushed(not confined) ?
Please help.
Regards,
Shaheena K
On Fri, Sep 04, 2020 at 05:20:13PM -0000, Shaheena Kazi wrote:
> The problem here is if I disable apparmor and then enable apparmor
> again. Everything start working fine. - No denials, no issues.
>
> When I run aa-unconfined, I see the below:
> ++++
> 5904 /usr/sbin/apache2 not confined
Probably "disable apparmor" is the cause: I'm guessing this means
unloading profiles, then loading profiles.
Processes that were already running aren't confined when profiles are
loaded. (They cannot be: without the full execution history of all
processes since boot we can't select the correct profile to apply to the
processes that remain.)
The usual way to perform profile development is to reload profiles after d/usr.sbin. apache2
modifying them. The aa-logprof and aa-genprof tools help this process, but
you could just as easily run
apparmor_parser --replace /etc/apparmor.
by hand when it is convenient.
I hope this helps.
Thanks