AppArmor

mod_apparmor: no error message when requesting non-existing hat

Bug #974616 reported by Christian Boltz on 2012-04-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Expired	Medium	Unassigned

Bug Description

- AppArmor 2.7.2 on openSUSE 12.1
- httpd2-prefork profile in complain mode
- using mod_apparmor with one hat per vhost (specified with AADefaultHatName)

mod_apparmor doesn't print/log any error message if the hat specified with AADefaultHatName does not exist. Instead, I get tons of audit.log entries for the DEFAULT_URI hat, for example

type=AVC msg=audit(1333446842.790:303110): apparmor="ALLOWED" operation="file_perm" parent=13357 profile="/usr/sbin/httpd2-prefork//DEFAULT_URI" name="/home/www/example.com/statistics/logs/access_log" pid=21888 comm="httpd2-prefork" requested_mask="w" denied_mask="w" fsuid=30 ouid=0

Expected behaviour:
Write some error message to audit.log or the apache error log if the hat specified in AADefaultHatName does not exist.

It would be even better if an audit.log entry would be written so that logprof can propose to create the missing hat.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-10-09:

Is this fixed in newer releases?

Changed in apparmor:
importance:	Undecided → Medium
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-12-09:

[Expired for AppArmor because there has been no activity for 60 days.]

Changed in apparmor:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.