[apparmor] profile help request: operation="rename_src"
John Johansen
john.johansen at canonical.com
Wed Mar 9 09:21:01 UTC 2016
On 03/08/2016 02:57 PM, apparmor at raf.org wrote:
> Hi,
>
> After many months of happy operation, named has just
> started causing messages like the following:
>
> apparmor="DENIED"
> operation="open"
> profile="/usr/sbin/named"
> name="/var/log/bind/"
> pid=624
> comm="named"
> requested_mask="r"
> denied_mask="r"
> fsuid=114
> ouid=114
>
> Before that, I had had the following in its profile:
>
> /var/log/bind/named.log w,
> /var/log/bind/ rw,
>
> I don't understand why that wasn't correct.
> Any explanations would be appreciated.
> Should the second line have been "/var/log/bind rw"
> instead (i.e. without the trailing slash)?
>
No from what you have provided the rule is correct. Can you provide
more information, distro, kernel, apparmor_parser version
a flattened dump you your named profile? (apparmor_parser -p your_named_profile_file)
> So I changed it to:
>
> /var/log/bind/* w,
> /var/log/bind/ rw,
>
> Then the following message started appearing:
>
> apparmor="DENIED"
> operation="rename_src"
> profile="/usr/sbin/named"
> name="/var/log/bind/named.log"
> pid=624 comm="named"
> requested_mask="r"
> denied_mask="r"
> fsuid=114
> ouid=114
>
> I've never seen operation="rename_src" before.
> I would expect rw on /var/log/bind to be enough
> for it but it doesn't seem to be.
>
> Can anyone tell what I'm doing wrong and what
> I need to change to allow this?
>
rename_src is src file in a rename operation
from your listed rule set you have not provide r for the
log file so that it can be read/renamed (think of copying from
source to destination).
you will need to modify
/var/log/bind/named.log w,
to
/var/log/bind/named.log rw,
More information about the AppArmor
mailing list