[apparmor] Apparmor profile enforce issue, when changing from root to non-root
swarna latha
sswarnas at gmail.com
Tue Sep 1 04:09:18 UTC 2020
Yes Seth.
My system works fine if the capability line is in the profile.
Below are my two queries...
1. Is listing all the capabilities same as adding the "capability, " line.
I dont see the same behaviour. Listing all the capabs is not working,
whereas
adding the capability, line works
2. I am not able to identify the required capability from apparmor logs.
Ideally we should see it in the capable operation ? Is there any scenario
where
capability is used, and apparmor does not log it...
Thanks,
Swarna
On Mon, Aug 31, 2020 at 11:26 PM Seth Arnold <seth.arnold at canonical.com>
wrote:
> On Mon, Aug 31, 2020 at 10:34:46PM -0400, swarna latha wrote:
> > I am getting the complete set of libraries used by my process with
> status=
> > AUDIT, right from /etc/ld.so.cache. It looks to me as though the profile
> is
> > not applied, though i have rules allowing the /etc/ld.so cache access.
> >
> > As i have these file entries in my profile, i am not getting
> > ALLOWED/DENIED, hence not able to regenerate the profile with these
> events.
>
> Hello Swarna, so, is it the case that your system works fine when the
> 'capability,' line is in the profile, but when you remove it and reload
> the profile, the application doesn't start *and* doesn't log anything
> different?
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20200901/958418f9/attachment.html>
More information about the AppArmor
mailing list