http://bugzilla.novell.com/show_bug.cgi?id=496204
Summary: genprof puts child profiles in enforce mode
Classification: openSUSE
Product: openSUSE 11.1
Version: Final
Platform: Other
OS/Version: openSUSE 11.1
Status: NEW
Severity: Normal
Priority: P5 - None
Component: AppArmor
AssignedTo: jeffm@novell.com
ReportedBy: suse-beta@cboltz.de
QAContact: qa@suse.de
Found By: Beta-Customer
genprof puts child profiles in enforce mode, even if genprof is still running
and watching the profiled application for events not yet covered by the
profile.
A how-to-reproduce will probably explain this best.
1. run aa-genprof ~cb/bin/eg
2. work with eg to cause some log events
3. switch over to genprof, "Scan system log..." to create an initial profile.
3a. choose to run /usr/lib/git/git-update-ref in a child profile
3b. allow all other events (chosen permissions not relevant for this bug)
3c. let genprof write the profile
3d. Keep genprof running.
4. continue to use eg
5. wonder why git-update-ref reports a "permission denied" error...
The reason for the problem is that the child profile is put into enforce mode.
This is how the profile looks _with genprof still running_:
# cat /etc/apparmor.d/home.cb.bin.eg
# Last Modified: Fri Apr 17 22:47:50 2009
#include