AppArmor

aa-logprof ignoring php-fpm changehat entries

Bug #1901007 reported by Mark Barrett on 2020-10-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

I have recently created a php-fpm profile and accompanying changehats, all based on the profile currently sitting in the master git repository. I changed the include lines back to being prefixed with a hash and removed the 'if exists' statements.

After testing, the profiles do appear to be working and aa-status lists them as in complain mode. However, when I run aa-logprof, it ignores any entries for the changehats... for example

Oct 21 00:42:23 websrv1 kernel: [29945.776637] audit: type=1400 audit(1603237343.914:1962): apparmor="ALLOWED" operation="open" profile="php-fpm7.4//example" name="/var/www/example.com/html/wp-content/foobox-image-lightbox-SLHcDd.tmp" pid=32646 comm="php-fpm7.4" requested_mask="wc" denied_mask="wc" fsuid=2001 ouid=2001

...is not picked up, nor many other like it. This applies to all of the 5 changehats that I have so far created profiles for.

The changehats are in a subfolder called php-fpm.d and the necessary include entered in the main profile.

Tags:

Revision history for this message

Mark Barrett (mark4409) wrote on 2020-10-22:

I should have mentioned, I'm currently running Ubuntu Server 20.04 with all updates applied.

The version of apparmor and apparmor-utils installed is 2.13.3-7ubuntu5.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.