Skip to content
pyllyukko edited this page Jul 30, 2024 · 8 revisions
  • Documentation
  • Keep an eye out for info="profile transition not found". This happens when profiles have e.g. Px ("the new process should run under another profile that matches the name of the executable") and the profile they are referring to is not in use.

Problematic AppArmor profiles

dhclient

There's some issues with enforce mode:

Sep 10 22:24:34 debian8 dhclient: can't create /var/lib/NetworkManager/dhclient-8cba46aa-5e5c-43c6-8234-1936f411ed9a-eth0.lease: Permission denied
Sep 10 22:24:34 debian8 dhclient: execve (/usr/lib/NetworkManager/nm-dhcp-helper, ...): Permission denied
Sep 10 22:24:34 debian8 dhclient: Open a socket for LPF: Operation not permitted
Sep 10 22:24:34 debian8 dhclient: 
Sep 10 22:24:34 debian8 dhclient: If you think you have received this message due to a bug rather
Sep 10 22:24:34 debian8 dhclient: than a configuration issue please read the section on submitting
Sep 10 22:24:34 debian8 dhclient: bugs on either our web page at www.isc.org or in the README file
Sep 10 22:24:34 debian8 dhclient: before submitting a bug.  These pages explain the proper
Sep 10 22:24:34 debian8 dhclient: process and the information we find helpful for debugging..
Sep 10 22:24:34 debian8 dhclient: 
Sep 10 22:24:34 debian8 dhclient: exiting.

Switch back to complain: aa-complain /etc/apparmor.d/sbin.dhclient

16.3.2020: Still applies with Debian 10.

sshd

Problems ahead:

Sep 10 22:27:43 debian8 sshd[2439]: Did not receive identification string from XXX.YYY.ZZ.X
Sep 10 22:27:43 debian8 sshd[2440]: PAM audit_log_acct_message() failed: Operation not permitted
Sep 10 22:27:43 debian8 sshd[2440]: fatal: Access denied for user XYZ by PAM account configuration [preauth]
AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/sshd" pid=4970 comm="sshd" capability=21  capname="sys_admin"

Complain: aa-complain /etc/apparmor.d/usr.sbin.sshd

man

man: can't open the manpath configuration file /etc/manpath.config

Complain: aa-complain /etc/apparmor.d/usr.bin.man

16.3.2020: Still applies with Debian 10.

logrotate

type=AVC msg=audit(1473578605.051:569): apparmor="DENIED" operation="file_lock" profile="/etc/cron.daily/logrotate" name="/etc/logrotate.conf" pid=1984 comm="logrotate" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
type=AVC msg=audit(1473578605.051:570): apparmor="DENIED" operation="open" profile="/etc/cron.daily/logrotate" name="/etc/logrotate.d/" pid=1984 comm="logrotate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

netstat

audit[21572]: AVC apparmor="DENIED" operation="open" profile="netstat" name="/proc/21572/net/udplite6" pid=21572 comm="netstat" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Clone this wiki locally