[Bug 905368] New: aa-logprof Never Catches Events
http://bugzilla.opensuse.org/show_bug.cgi?id=905368
Bug ID: 905368
Summary: aa-logprof Never Catches Events
Classification: openSUSE
Product: openSUSE Distribution
Version: 13.2
Hardware: x86-64
OS: openSUSE 13.2
Status: NEW
Severity: Normal
Priority: P5 - None
Component: AppArmor
Assignee: suse-beta@cboltz.de
Reporter: delder@novacoast.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101
Firefox/33.0
Build Identifier:
I recently upgraded from 13.1 to 13.2 (using boot media) and haven't been able
to update any AppArmor profiles using aa-logprof since then. AppArmor is
enabled and correctly logging events but aa-logprof will never report them or
give the ability the update them.
Reproducible: Always
Steps to Reproduce:
1. Profile an application (or do something unusual with an existing one), i.e.,
a-autodep /usr/lib64/thunderbird/thunderbird.sh
2. Run application and generate events while in complain mode
3. Validate the events are being logged:
delder:/etc/apparmor.d # dmesg | grep thunderbird | grep apparmor
...
[ 9159.239221] audit: type=1400 audit(1415907687.111:18944279):
apparmor="ALLOWED" operation="file_lock"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/home/thunderbird/.thunderbird/z1zitdrz.default/ExQuilla/ex1.novacoast-2.com/ews-db.sqlite"
pid=20785 comm="thunderbird-bin" requested_mask="k" denied_mask="k" fsuid=1005
ouid=1005
[ 9159.239225] audit: type=1400 audit(1415907687.111:18944280):
apparmor="ALLOWED" operation="file_lock"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/home/thunderbird/.thunderbird/z1zitdrz.default/ExQuilla/ex1.novacoast-2.com/ews-db.sqlite"
pid=20785 comm="thunderbird-bin" requested_mask="k" denied_mask="k" fsuid=1005
ouid=1005
[ 9159.239228] audit: type=1400 audit(1415907687.111:18944281):
apparmor="ALLOWED" operation="file_lock"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/home/thunderbird/.thunderbird/z1zitdrz.default/ExQuilla/ex1.novacoast-2.com/ews-db.sqlite"
pid=20785 comm="thunderbird-bin" requested_mask="k" denied_mask="k" fsuid=1005
ouid=1005
[ 9159.239234] audit: type=1400 audit(1415907687.111:18944282):
apparmor="ALLOWED" operation="getattr"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/home/thunderbird/.thunderbird/z1zitdrz.default/ExQuilla/ex1.novacoast-2.com/ews-db.sqlite"
pid=20785 comm="thunderbird-bin" requested_mask="r" denied_mask="r" fsuid=1005
ouid=1005
[ 9159.239240] audit: type=1400 audit(1415907687.111:18944283):
apparmor="ALLOWED" operation="getattr"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/home/thunderbird/.thunderbird/z1zitdrz.default/ExQuilla/ex1.novacoast-2.com/ews-db.sqlite"
pid=20785 comm="thunderbird-bin" requested_mask="r" denied_mask="r" fsuid=1005
ouid=1005
[ 9159.239244] audit: type=1400 audit(1415907687.111:18944284):
apparmor="ALLOWED" operation="getattr"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/home/thunderbird/.thunderbird/z1zitdrz.default/ExQuilla/ex1.novacoast-2.com/ews-db.sqlite"
pid=20785 comm="thunderbird-bin" requested_mask="r" denied_mask="r" fsuid=1005
ouid=1005
[ 9159.239327] audit: type=1400 audit(1415907687.111:18944285):
apparmor="ALLOWED" operation="getattr"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/usr/share/zoneinfo/America/Los_Angeles" pid=20785 comm="thunderbird-bin"
requested_mask="r" denied_mask="r" fsuid=1005 ouid=0
[ 9159.239332] audit: type=1400 audit(1415907687.111:18944286):
apparmor="ALLOWED" operation="getattr"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/usr/share/zoneinfo/America/Los_Angeles" pid=20785 comm="thunderbird-bin"
requested_mask="r" denied_mask="r" fsuid=1005 ouid=0
[ 9159.239544] audit: type=1400 audit(1415907687.111:18944287):
apparmor="ALLOWED" operation="file_lock"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/home/thunderbird/.thunderbird/z1zitdrz.default/ExQuilla/ex1.novacoast-2.com/ews-db.sqlite"
pid=20785 comm="thunderbird-bin" requested_mask="k" denied_mask="k" fsuid=1005
ouid=1005
[ 9159.240275] audit: type=1400 audit(1415907687.112:18944288):
apparmor="ALLOWED" operation="file_lock"
profile="/usr/lib64/thunderbird/thunderbird.sh//null-8c"
name="/home/thunderbird/.thunderbird/z1zitdrz.default/ExQuilla/ex1.novacoast-2.com/ews-db.sqlite"
pid=20785 comm="thunderbird-bin" requested_mask="k" denied_mask="k" fsuid=1005
ouid=1005
4. Run aa-logprof:
delder:/etc/apparmor.d # aa-logprof
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
delder:/etc/apparmor.d #
The thunderbird profile is blank so all events should be captured:
delder:/etc/apparmor.d # cat usr.lib64.thunderbird.thunderbird.sh
# Last Modified: Mon Nov 10 11:26:00 2014
#include
http://bugzilla.opensuse.org/show_bug.cgi?id=905368
Steven Beattie
http://bugzilla.opensuse.org/show_bug.cgi?id=905368
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=905368
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com