[apparmor] unexpected apparmor logs
apparmor at raf.org
apparmor at raf.org
Mon Mar 26 12:56:23 UTC 2018
intrigeri wrote:
> apparmor at raf.org:
> >> This does not match name="/run/lock/apache2/mpm-accept-0.22001"
> >>
> >> What about the broader:
> >>
> >> /{var/,}run/lock/apache2/mpm-accept* wk,
> >>
> >> ?
> >>
> >> Cheers,
> >> --
> >> intrigeri
>
> > hi,
>
> > ah, i see it now. there's a "-" before the 0 where the rule
> > is expecting a ".".
>
> > so, a better rule is:
>
> > /{var/,}run/lock/apache2/mpm-accept[.-][0-9]* wk,
>
> > to accept either a "." or "-" before the first digit.
>
> OK.
actually, apparmor doesn't like the "[.-]" construct.
i'll use your version instead.
> I don't understand where your profile comes from though:
> there's no rule about /run/lock/apache2 in the
> /etc/apparmor.d/usr.sbin.apache2 file that's shipped by the
> libapache2-mod-apparmor package in Debian 9 (Stretch).
i don't know where it came from either. i don't have the
libapache2-mod-apparmor package and every host i have an apache2
profile on, it didn't come from a package. maybe i found it
online somewhere. or maybe it was present in an older version of
the apparmor-profiles or apparmor-profiles-extra package (under
debian7?).
> Cheers,
> --
> intrigeri
thanks again.
cheers,
raf
More information about the AppArmor
mailing list