Hello Today, after using a guest account, I noticed a couple of DENIED entries in log files. They are related with "/usr/lib/lightdm/lightdm-guest-session" profile. I would like to ask; should I do something with this? For example; add needed rules etc., or leave as is? Everything seems to work OK - internet access and so on.
Here are these log entries: ✓1 apparmor="DENIED" operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" pid=2063 comm="initctl" family="unix" sock_type="stream" protocol=0 requested_mask="send receive accept" denied_mask="send accept" addr="@/com/ubuntu/upstart-session/997/1544" peer_addr=none peer="unconfined" ✓2 audit: type=1400 audit(1495528863.079:97): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/2076/net/arp" pid=2083 comm=4C696E6B204D6F6E69746F72 requested_mask="r" denied_mask="r" fsuid=997 ouid=0 ✓3 audit: type=1400 audit(1495528866.475:98): apparmor="DENIED" operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/stdout" pid=1615 comm="dbus-daemon" requested_mask="w" denied_mask="w" fsuid=997 ouid=0 ✓4 audit: type=1400 audit(1495528768.771:63): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/sys/kernel/cap_last_cap" pid=1699 comm="gnome-keyring-d" requested_mask="r" denied_mask="r" fsuid=997 ouid=0 Note: "stdout" and "cap_last_cap" entires are repeated many times. Here are an example rules. I would like to ask about them: are they OK or not etc. Opinions, suggestions and so on. # 1: Frankly, I have no idea how this rule should looks like. Maybe # there should be used <abstraction/*>? # 2: Are these rules OK? If yes, which one is better to use? @{PROC}/[0-9]*/net/arp r, @{PROC}/@{pid}/net/arp r, # 3: Same as with point 4.; use one rule or <abstraction/*>? # If rule is OK; which one to use? What about an "owner" prefix? /run/systemd/journal/stdout r, /{,var/}run/systemd/journal/stdout r, # 4: It should be confined with a rule or maybe it's better # to use some of the <abstraction/*>? @{PROC}/sys/kernel/cap_last_cap r, What are your opinions about these rules? Are they OK to use? All of this happened on the 16.04.2 LTS Release. Thanks, best regards.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor