On Thu, Jul 16, 2020 at 09:36:11PM +0200, mailinglis...@posteo.de wrote: > Instead, as you can see, apparmor reports: >$ > Name: usr/sbin/ModemManager > Name: usr/sbin/NetworkManager >$ >$ > Is this probably an error in rkhunter and not in apparmor?
This is because rkhunter is executing in its own filesystem namespace for
whatever reason, and the LSM interface isn't passing to AppArmor
sufficient information for AppArmor to know the mountpoint that was used
to access those files.
You can add flags=(attach_disconnected) near the start of the profile to
cause these accesses to be treated as if they were mounted at /.
eg
profile rkhunter /usr/bin/rkhunter flags=(attach_disconnected) {
/** r,
...
}
Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
