Hello,
creating a file is in theory covered by the 'a' permission, however
discussion on IRC brought up that depending on the open flags it might
not be enough (real-world example: creating the apache pid file).
Therefore change the mapping to 'w' permissions - that might allow more
than needed in some cases, but makes sure the profile always works.
I propose this patch for 2.9, 2.10 and trunk
[ 23-map-create-to-w.diff ]
=== modified file ./utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2015-11-19 17:42:26.333879063 +0100
+++ utils/apparmor/logparser.py 2015-11-19 20:51:49.139296808 +0100
@@ -296,15 +296,15 @@
self.debug_logger.debug('UNHANDLED (missing request_mask): %s'
% e)
return None
- # Map c (create) to a and d (delete) to w (logging is more
detailed than the profile language)
+ # Map c (create) and d (delete) to w (logging is more detailed
than the profile language)
rmask = e['request_mask']
- rmask = rmask.replace('c', 'a')
+ rmask = rmask.replace('c', 'w')
rmask = rmask.replace('d', 'w')
if not validate_log_mode(hide_log_mode(rmask)):
raise AppArmorException(_('Log contains unknown mode %s') %
rmask)
dmask = e['denied_mask']
- dmask = dmask.replace('c', 'a')
+ dmask = dmask.replace('c', 'w')
dmask = dmask.replace('d', 'w')
if not validate_log_mode(hide_log_mode(dmask)):
raise AppArmorException(_('Log contains unknown mode %s') %
dmask)
Regards,
Christian Boltz
--
Warum nochmal benutzen alle Procmail? Das ist eine Art Quiz, oder?
Wer die unleserlichtste Regel erstellt, bekommt einen Preis?
[Thorsten Haude in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
