[apparmor] profiles cannot be deleted
Aaron Lewis
the.warl0ck.1989 at gmail.com
Fri Dec 20 10:02:35 UTC 2013
Hi John
Thanks for the quick reply, I'm going to try that next time I
encounter certain situations
It seems like if the file gets deleted, the rules became a mess.
On Fri, Dec 20, 2013 at 5:45 PM, John Johansen
<john.johansen at canonical.com> wrote:
> On 12/20/2013 01:22 AM, Aaron Lewis wrote:
>> Hi,
>>
>> I couldn't delete profiles, in aa-status I see bunches of lines like this,
>>
>> 188 profiles are in complain mode.
>> /opt/cisco/anyconnect/bin/vpnagentd//null-1
>> /opt/cisco/anyconnect/bin/vpnagentd//null-10
>> /opt/cisco/anyconnect/bin/vpnagentd//null-11
>> /opt/cisco/anyconnect/bin/vpnagentd//null-12
>> /opt/cisco/anyconnect/bin/vpnagentd//null-13
>> /opt/cisco/anyconnect/bin/vpnagentd//null-14
>>
> This are learning profiles that are created when a profile in complain mode
> does an exec and the current profile does not have a rule to cover the
> transition.
>
> They where supposed to be auto-delete/remove profiles so that they would
> be reaped as soon as the last reference to them was removed. However due to
> current limitations in the ref counting that does not happen yet.
>
> This is one of the things that should be fixed in the 3.0 release
>
>> I have to reboot to clear them out.
>>
>
> if you do
> echo -n "/opt/cisco/anyconnect/bin/vpnagentd/null-10" >/sys/kernel/security/apparmor/.remove
>
> does this correctly remove the profile for you?
>
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
More information about the AppArmor
mailing list