Apologies, this was due to a typo in the profile name (ocpu_exec vs
ocpu-exec). But perhaps the error could have been more informative
(profile does not exists vs permission denied).
On Wed, Jul 24, 2013 at 1:43 PM, Jeroen Ooms <jeroen.o...@stat.ucla.edu> wrote:
> I can't get the change_profile directive to work. I have two profiles
> loaded, called ocpu-main and ocpu-exec. The ocpu_main profile should
> allow to transition into the more restrictive ocpu-exec:
>
> #include <tunables/global>
> profile ocpu-main {
> #include <opencpu.d/base>
> #include <opencpu.d/server>
> change_profile -> ocpu-exec,
> }
>
> In addition, the opencpu.d/server include contains:
>
> @{PROC}/[0-9]*/attr/current rw,
>
> So we should be good to go. however, when the process tries to make
> the transision, it still fails with a permission denied:
>
> Jul 24 13:36:59 Jeroen-Antec kernel: [13408.591656] type=1400
> audit(1374665818.998:818): apparmor="DENIED"
> operation="change_profile" parent=14654 profile="ocpu-main" pid=14655
> comm="apache2" target="ocpu_exec"
>
> There are no additional error messages in kern.log that give a hint on
> why it fails. What am I doing wrong? I am using version whatever ships
> with ubuntu raring.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
