aa-logprof asks for already existing network rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
# cat /etc/apparmor.
# Last Modified: Sun Oct 12 20:37:55 2014
#include <tunables/global>
/home/sys-tmp/ping flags=(complain) {
#include <abstractions/base>
capability net_raw,
network inet dgram,
network inet raw,
/etc/resolv.conf r,
/home/
/run/nscd/* r,
}
Nevertheless aa-logprof asks to add those network rules: (I still have the audit.log of creating that profile, that's why I have log entries about them.)
# aa-logprof
Reading log entries from /var/log/
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:
Profile: /home/sys-tmp/ping
Network Family: inet
Socket Type: dgram
[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
Adding network access inet dgram to profile.
Profile: /home/sys-tmp/ping
Network Family: inet
Socket Type: raw
[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
Adding network access inet raw to profile.
= Changed Local Profiles =
[...]
Needless to say that those "additions" don't change anything in the profile because the rules were already there.
Fixed in bzr r2764.