[apparmor] issue with aa_change_profile when already in complain mode
Seth Arnold
seth.arnold at gmail.com
Tue Jul 17 17:32:22 UTC 2012
I don't think "but nothing happens" is the entire story -- check your audit messages and you will see that the profile of your R executable _has_ changed -- iirc, it'll append //null-1, //null-2, etc. to the existing profile name.
Complain mode is intended to be used with the automated tools when generating profiles. If the change profile permission is not yet in the profile, allowing the request and continuing as normal will then report the full behavior in the logs and the admin can later allow or deny and all the subsequent file accesses are then stored on the new or old profile as requested.
If instead permission was denied on change profile in complain mode it would become immensely difficult to use the tools to confine a program that changes its profile -- future file accesses would all appear to come from the old profile.
What are you trying to do with R while in complain mode? Would it make sense to instead use the audit keyword in your R profile?
-----Original Message-----
From: Jeroen Ooms <jeroen.ooms at stat.ucla.edu>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Tue, 17 Jul 2012 19:09:57
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] issue with aa_change_profile when already in complain
mode
--
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list