Applies to: Ubuntu 10.04 with
Linux station1 2.6.32-40-generic #87-Ubuntu SMP Tue Mar 6 00:56:56 UTC 2012 x86_64 GNU/Linux
# apt-cache policy apparmor
apparmor:
Installiert: 2.5.1-0ubuntu0.10.04.3
Kandidat: 2.5.1-0ubuntu0.10.04.3
Logprof/Genprof may be used to generate new apparmor profiles.
Logprof/Genprof read /var/log/audit/audit.log or /var/log/syslog and convert AppArmor-logs into AppArmor rules for the profiles.
Logprof/Genprof ignore some AppArmor messages and the resulting profiles are therefore missing some rules!
In our tests this happened with messages concerning the unlinking of file sockets and pid-files. This can easily be reproduced by removing the supplied mysqld-profile and recreating it from scratch with genprof /usr/sbin/mysqld.
The following message in the log files is ignored:
type=APPARMOR_DENIED msg=audit(1333625359.497:1157): operation="unlink" pid=3323 parent=1 profile="/usr/sbin/mysqld" requested_mask="d::" denied_mask="d::" fsuid=116 ouid=116 name="/var/run/mysqld/mysqld.sock"
Running logprof on the audit-log does not add the rule either:
# logprof /usr/sbin/mysqld
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Another example is Rsyslogd. Create a profile from scratch and the unlinking the pid file is not honored:
type=APPARMOR_DENIED msg=audit(1333626051.867:1283): operation="unlink" pid=4984 parent=1 profile="/usr/sbin/rsyslogd" requested_mask="::d" denied_mask="::d" fsuid=101 ouid=0 name="/var/run/rsyslogd.pid"
Status changed to 'Confirmed' because the bug affects multiple users.