Hello, creating a file is in theory covered by the 'a' permission, however discussion on IRC brought up that depending on the open flags it might not be enough (real-world example: creating the apache pid file).
Therefore change the mapping to 'w' permissions - that might allow more than needed in some cases, but makes sure the profile always works. I propose this patch for 2.9, 2.10 and trunk [ 23-map-create-to-w.diff ] === modified file ./utils/apparmor/logparser.py --- utils/apparmor/logparser.py 2015-11-19 17:42:26.333879063 +0100 +++ utils/apparmor/logparser.py 2015-11-19 20:51:49.139296808 +0100 @@ -296,15 +296,15 @@ self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e) return None - # Map c (create) to a and d (delete) to w (logging is more detailed than the profile language) + # Map c (create) and d (delete) to w (logging is more detailed than the profile language) rmask = e['request_mask'] - rmask = rmask.replace('c', 'a') + rmask = rmask.replace('c', 'w') rmask = rmask.replace('d', 'w') if not validate_log_mode(hide_log_mode(rmask)): raise AppArmorException(_('Log contains unknown mode %s') % rmask) dmask = e['denied_mask'] - dmask = dmask.replace('c', 'a') + dmask = dmask.replace('c', 'w') dmask = dmask.replace('d', 'w') if not validate_log_mode(hide_log_mode(dmask)): raise AppArmorException(_('Log contains unknown mode %s') % dmask) Regards, Christian Boltz -- Warum nochmal benutzen alle Procmail? Das ist eine Art Quiz, oder? Wer die unleserlichtste Regel erstellt, bekommt einen Preis? [Thorsten Haude in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor