Hello, aa-logprof raises an exception if - an include file contains a hat - that file is included in a profile and - aa-logprof hits an audit log entry for this profile
Reproducer: python3 aa-logprof -f <(echo 'Jun 19 11:50:36 piorun kernel: [4474496.458789] audit: type=1400 audit(1434707436.696:153): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=2910 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0') -d ../profiles/apparmor.d/ This happens because profiles/apparmor.d/apache2.d/phpsysinfo was already read when pre-loading the include files. This patch changes aa.py parse_profile_data() to only raise the exception if it is not handling includes currently. I'm able to reproduce this issue with trunk and 2.9 and therefore propose this patch for both. (Interestingly, this code exists since r0.1.38, and nobody noticed it yet...) [ 53-fix-logprof-for-hat-in-include.diff ] === modified file utils/apparmor/aa.py --- utils/apparmor/aa.py 2015-06-19 21:44:46.134232664 +0200 +++ utils/apparmor/aa.py 2015-06-21 18:57:50.915891775 +0200 @@ -3008,7 +3008,7 @@ if initial_comment: profile_data[profile][hat]['initial_comment'] = initial_comment initial_comment = '' - if filelist[file]['profiles'][profile].get(hat, False): + if filelist[file]['profiles'][profile].get(hat, False) and not do_include: raise AppArmorException(_('Error: Multiple definitions for hat %(hat)s in profile %(profile)s.') % { 'hat': hat, 'profile': profile }) filelist[file]['profiles'][profile][hat] = True Regards, Christian Boltz -- > Der Testbug (#48) ist übrigens ein Duplikat von Bug #29 ;-) Shit. Machst du 'nen Bugreport? :-) [> Christian Boltz und Ratti in fontlinge-devel] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor