[apparmor] AppArmor - dac_override questions

Sat Oct 24 22:37:27 UTC 2015

Hello,

Am Freitag, 23. Oktober 2015 schrieb SZIGETVÁRI János:
> So it seems to me, that it's not AppArmor that's preventing syslog-ng
> from accessing /proc/kmsg, but something else. And that is weird for
> me, because the profile contains capability dac_override, which
> should allow the running syslog-ng instance to circumvent the
> stabdard Linux DAC file access controls.

Maybe that's where your SELinux knownledge bites you ;-)
(I don't know much about SELinux, but I know that it puts labels on 
files etc. and then decides about the permissions based on those 
labels.)

If I understand your mail right, you are running syslog-ng as a non-root 
user (correct?). Therefore it isn't allowed to read the root-only 
/proc/kmsg, with or without an AppArmor profile.

AppArmor never *adds* permissions, it only restricts them.
This also means that a "capability dac_override," rule is only relevant 
and helpful for processes running as root [1]. Processes running as non-
root will hit the usual Linux DAC restrictions (+ possibly additional 
restrictions by the AppArmor profile).

To confirm this,   chmod go+r /proc/kmsg   and try again. If it works 
afterwards, my guess was right - if not, I was wrong ;-)

Regards,

Christian Boltz

[1] For example, if you use rsync for doing your backups and run it as 
    root, restricted by an AppArmor profile, AppArmor will deny access 
    to files owned by a user with -rw------- permissions because 
    technically this means no other user is allowed to read this file.
    Without AppArmor, the standard DAC makes an exception for root 
    "because root is allowed to do everything".

    That's where "capability dac_override," comes into the game - only
    with that rule added, the AppArmor-restricted process will be able
    to read the file. Without that rule, root looses his "allowed to do
    everything" permissions and is treated as every other user ;-)

-- 
GETOPT(3)
BUGS
       This manpage is confusing.