http://bugzilla.novell.com/show_bug.cgi?id=496204 Summary: genprof puts child profiles in enforce mode Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: Other OS/Version: openSUSE 11.1 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de Found By: Beta-Customer genprof puts child profiles in enforce mode, even if genprof is still running and watching the profiled application for events not yet covered by the profile. A how-to-reproduce will probably explain this best. 1. run aa-genprof ~cb/bin/eg 2. work with eg to cause some log events 3. switch over to genprof, "Scan system log..." to create an initial profile. 3a. choose to run /usr/lib/git/git-update-ref in a child profile 3b. allow all other events (chosen permissions not relevant for this bug) 3c. let genprof write the profile 3d. Keep genprof running. 4. continue to use eg 5. wonder why git-update-ref reports a "permission denied" error... The reason for the problem is that the child profile is put into enforce mode. This is how the profile looks _with genprof still running_: # cat /etc/apparmor.d/home.cb.bin.eg # Last Modified: Fri Apr 17 22:47:50 2009 #include <tunables/global> /home/cb/bin/eg flags=(complain) { # complain mode - as expected #include <abstractions/base> #include <abstractions/bash> #include <abstractions/perl> # [... several permissions ...] /usr/lib/git/git-update-ref mrcx, profile /usr/lib/git/git-update-ref { # enforce mode! #include <abstractions/base> owner /home/*/.gitconfig r, /usr/lib/git/git-update-ref mr, } } As you can clearly see, only the main profile is in complain mode. The subprofile for git-update-ref is enforced - which is not the expected behaviour as long as genprof is running for the main profile. IMHO the complete profile, including all subprofiles, hats, whatever should be in complain mode as long as genprof is running. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.