[apparmor] [profile] 16.04 LTS: lightdm-guest-session: a couple of DENIED messages.

Tue, 23 May 2017 11:09:31 -0700 

Hello

Today, after using a guest account, I noticed a couple of DENIED entries in
log files. They are related with "/usr/lib/lightdm/lightdm-guest-session"
profile. I would like to ask; should I do something with this? For example;
add needed rules etc., or leave as is? Everything seems to work OK -
internet access and so on.

Here are these log entries:

✓1
apparmor="DENIED" operation="connect"
profile="/usr/lib/lightdm/lightdm-guest-session" pid=2063 comm="initctl"
family="unix" sock_type="stream" protocol=0 requested_mask="send receive
accept" denied_mask="send accept"
addr="@/com/ubuntu/upstart-session/997/1544" peer_addr=none
peer="unconfined"

✓2
audit: type=1400 audit(1495528863.079:97): apparmor="DENIED"
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session"
name="/proc/2076/net/arp" pid=2083 comm=4C696E6B204D6F6E69746F72
requested_mask="r" denied_mask="r" fsuid=997 ouid=0

✓3
audit: type=1400 audit(1495528866.475:98): apparmor="DENIED"
operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session"
name="/run/systemd/journal/stdout" pid=1615 comm="dbus-daemon"
requested_mask="w" denied_mask="w" fsuid=997 ouid=0

✓4
audit: type=1400 audit(1495528768.771:63): apparmor="DENIED"
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session"
name="/proc/sys/kernel/cap_last_cap" pid=1699 comm="gnome-keyring-d"
requested_mask="r" denied_mask="r" fsuid=997 ouid=0

Note: "stdout" and "cap_last_cap" entires are repeated many times. Here are
an example rules. I would like to ask about them: are they OK or not etc.
Opinions, suggestions and so on.

# 1: Frankly, I have no idea how this rule should looks like. Maybe
# there should be used <abstraction/*>?

# 2: Are these rules OK? If yes, which one is better to use?
@{PROC}/[0-9]*/net/arp r,
@{PROC}/@{pid}/net/arp r,

# 3: Same as with point 4.; use one rule or <abstraction/*>?
# If rule is OK; which one to use? What about an "owner" prefix?
/run/systemd/journal/stdout r,
/{,var/}run/systemd/journal/stdout r,

# 4: It should be confined with a rule or maybe it's better
# to use some of the <abstraction/*>?
@{PROC}/sys/kernel/cap_last_cap r,

What are your opinions about these rules? Are they OK to use? All of this
happened on the 16.04.2 LTS Release.

Thanks, best regards.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to