AppArmor

aa-logprof asks for already existing network rules

Bug #1380367 reported by Christian Boltz on 2014-10-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Undecided	Unassigned	AppArmor 2.9.1

Bug Description

# cat /etc/apparmor.d/home.sys-tmp.ping
# Last Modified: Sun Oct 12 20:37:55 2014
#include <tunables/global>

/home/sys-tmp/ping flags=(complain) {
#include <abstractions/base>

capability net_raw,

network inet dgram,
network inet raw,

  /etc/resolv.conf r,
  /home/sys-tmp/ping mr,
  /run/nscd/* r,

}

Nevertheless aa-logprof asks to add those network rules: (I still have the audit.log of creating that profile, that's why I have log entries about them.)

# aa-logprof
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile: /home/sys-tmp/ping
Network Family: inet
Socket Type: dgram

[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
Adding network access inet dgram to profile.

Profile: /home/sys-tmp/ping
Network Family: inet
Socket Type: raw

[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
Adding network access inet raw to profile.

= Changed Local Profiles =
[...]

Needless to say that those "additions" don't change anything in the profile because the rules were already there.

Tags:

Related branches

lp:ubuntu/vivid-proposed/apparmor

Revision history for this message

Christian Boltz (cboltz) wrote on 2014-10-20:

Fixed in bzr r2764.

Changed in apparmor:
milestone:	none → 2.9.1
status:	New → Fix Committed

Revision history for this message

Steve Beattie (sbeattie) wrote on 2014-12-17:

AppArmor 2.9.1 has been released, closing.

Changed in apparmor:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.