Comment # 9 on bug 1190552 from Cristian Rodr���guez

(In reply to Christian Boltz from comment #8)
> I'm afraid your audit.log caused more questions than it answers ;-)
> 
> Basically you have two events (repeated multiple times):
> 
> apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh"
> pid=6779 comm="file" lport=814 family="inet" sock_type="dgram" protocol=17
> requested_mask="send" denied_mask="send"
> 
> apparmor="DENIED" operation="sendmsg" profile="/usr/bin/lessopen.sh"
> pid=7077 comm="lessopen.sh" lport=814 family="inet" sock_type="dgram"
> protocol=17 requested_mask="send" denied_mask="send"
> 
> It's very strange that the lessopen.sh script and "file" need inet dgram
> permissions. I asked upstream, and the answer was
> 
> [17:27:28] <jjohansen1> well, you can use it internal to the machine as a
> message passing protocol
> [17:27:51] <jjohansen1> this can be convenient if you have a need that could
> be local or remote
> [17:28:46] <jjohansen1> but it is certainly suspect, and needs to be looked
> into
> [...]
> [17:49:49] <jjohansen1> its interesting that its the file command and the
> script
> [17:50:01] <jjohansen1> perhaps its being used as a pipe?
> [17:51:41] <jjohansen1> an strace would be interesting to see
> 
> Unfortunately I'm not able to reproduce what you see, so - can you please do
> a strace, check that it causes these entries in audit.log again, and then
> attach the strace output?

"file" does use use socket() .. if it did.. there is a seccomp filter
dissallowing anything but AF_UNIX.


less doesn't use it either.

What the hell is going on.. don't have time to dig further right now. need a
trace of the program..  and whatis lport in the audit log also? wasn't able to
find the meaning on the web.. it is logging port? low port?