On 08/07/2013 05:29 AM, azurIt wrote: > Hi, > > i'm trying to use mod_apparmor in Apache but every request is creating new > profile inside kernel, which looks like this: > /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1001 > /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1003 > /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1005 > /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1007 > /usr/lib/apache2/mpm-itk/apache2//DEFAULT_URI//null-1009 > > and so on. There are TONS of such profile after few weeks of running: > 42775 profiles are in complain mode. > > Am I doing something wrong? > your profile is in complain mode and it is not finding the requested hat on its first attempt.
Basically complain mode in apparmor is a learning mode instead of rejecting requests that don't have permission it logs but allows them (complains). Domain transitions are special in that when the requested domain doesn't exist it could be because it needs to be created yet, or it could be that the request needs to be merged into the current profile. So apparmor creates a new null-XXX profile that is used to track this request. These request profiles are piling up because there is a bug where null-XXX profiles are not being garbage collected when no longer in use. Change the profile into enforce mode, using the aa-enforce tool on the file your apache profile is in (likely) aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-itk.appache2 or by manually adjusting be either deleting the symlink (if it exists) to the profile file in /etc/apparmor.d/complain or by either manually editing the profile to removing the complain flag, eg. /usr/lib/apache2/mpm-itk/appache2 (complain) {...} would become /usr/lib/apache2/mpm-itk/appache2 {...} -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor