[apparmor] systemd AppArmorProfile
Murali Selvaraj
murali.selvaraj2003 at gmail.com
Wed Jan 31 03:05:07 UTC 2024
Hi All,
Systemd provides this variable *AppArmorProfile=* for the unit files
I have enabled Apparmor support in systemd and confirmed it is enabled as
per below output.
# systemctl --version
systemd 250 (250.5+)
-PAM -AUDIT -SELINUX *+APPARMOR* +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS
-OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD
-LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -BZIP2 -LZ4
-XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT
default-hierarchy=hybrid
*test.service*
[Service]
Type=forking
WorkingDirectory=/usr/local/
*AppArmorProfile-=foo*
ExecStart=/usr/bin/test
Restart=on-failure
During boot-up, profile "foo" is NOT loaded while executing
test.service. However, I am observing below logs
grep -rni DENIED /var/logs/messages.txt
431:1970 Jan 01 00:00:33 localhost: audit: type=1400 audit(33.089:2):
apparmor="DENIED" operation="change_onexec" info="label not found" error=-2
profile="unconfined" name="foo" pid=2970 comm="(sh)"
As per my understanding, if prefixed by "-", all errors will be ignored.
But I am still observing the above logs.
Do we need to update this line *AppArmorProfile-=foo* in the unit file?
I would like to understand the difference between *AppArmorProfile=foo
, * *AppArmorProfile-=foo ?*
Please share your views.
Thanks
Murali.S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20240130/0778d59d/attachment.html>
More information about the AppArmor
mailing list