[apparmor] profile help request: operation="rename_src"

John Johansen john.johansen at canonical.com
Thu Mar 10 00:37:24 UTC 2016 

On 03/09/2016 04:19 PM, apparmor at raf.org wrote:
> John Johansen wrote:
> 
>> On 03/08/2016 02:57 PM, apparmor at raf.org wrote:
>>> Hi,
>>>
>>> After many months of happy operation, named has just
>>> started causing messages like the following:
>>>
>>>   apparmor="DENIED"
>>>   operation="open"
>>>   profile="/usr/sbin/named"
>>>   name="/var/log/bind/"
>>>   pid=624
>>>   comm="named"
>>>   requested_mask="r"
>>>   denied_mask="r"
>>>   fsuid=114
>>>   ouid=114
>>>
>>> Before that, I had had the following in its profile:
>>>
>>>   /var/log/bind/named.log w,
>>>   /var/log/bind/ rw,
>>>
>>> I don't understand why that wasn't correct.
>>> Any explanations would be appreciated.
>>> Should the second line have been "/var/log/bind rw"
>>> instead (i.e. without the trailing slash)?
>>
>> No from what you have provided the rule is correct. Can you provide
>> more information, distro, kernel, apparmor_parser version
> 
> debian-8
> Linux s1.advancepayroll.com.au 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) x86_64 GNU/Linux
> AppArmor parser version 2.9.0
> 
>> a flattened dump you your named profile? (apparmor_parser -p your_named_profile_file)
> 
> it's attached.
> 
thanks, I'll poke at it


>>> So I changed it to:
>>>
>>>   /var/log/bind/* w,
>>>   /var/log/bind/ rw,
>>>
>>> Then the following message started appearing:
>>>
>>>   apparmor="DENIED"
>>>   operation="rename_src"
>>>   profile="/usr/sbin/named"
>>>   name="/var/log/bind/named.log"
>>>   pid=624 comm="named"
>>>   requested_mask="r"
>>>   denied_mask="r"
>>>   fsuid=114
>>>   ouid=114
>>>
>>> I've never seen operation="rename_src" before.
>>> I would expect rw on /var/log/bind to be enough
>>> for it but it doesn't seem to be.
>>>
>>> Can anyone tell what I'm doing wrong and what
>>> I need to change to allow this?
>>>
>> rename_src is src file in a rename operation
>>
>> from your listed rule set you have not provide r for the
>> log file so that it can be read/renamed (think of copying from
>> source to destination).
>>
>> you will need to modify
>>    /var/log/bind/named.log w,
>>
>> to
>>    /var/log/bind/named.log rw,
> 
> That doesn't sense.
> 
> You don't need to read or write permissions on a file
> in order to rename it. You only need read and write
> permissions on the directory that contains it.
No. That is standard unix DAC.  Apparmor's permission
model is a little different because it allows expressing
things DAC can't. Eg. you can specify which files in
a directory can be created, not just that you have
write access to the directory.

For rename you need the rename permission, however that
isn't directly exposed at the moment and is hidden behind
r (its for historic reasons, where yes rename was treated
like copy). 

> You would need read permission on a file to copy it
> but not to rename it.
> 
> The proof can be seen with:
> 
>  cd /tmp
>  mkdir ttt
>  cd ttt
>  touch aaa
>  chmod 0 aaa
>  ls -aslp
>  mv aaa bbb
>  ls -aslp
>  cd ..
>  rm -r ttt
> 

again DAC permissions not what apparmor does

> However, I did change the rules to:
> 
>   /var/log/bind/* rw,
>   /var/log/bind/ rw,
> 
> and haven't seen that message since so it probably worked.
> 
> But it still doesn't make sense. :-)
> 
> Many thanks,
> raf
> 
> 
>

More information about the AppArmor mailing list