Hi Didier, I was not able to reply on your mail as I am not part of the above mailing list, I have subscribed myself now.
Regarding your suggestion. > From what I understand, unless you specify a deny rule, when you switch an AppArmor profile to complain mode, it complains but does not confine, so you would probably switch your AppArmor profile to enforce mode instead. In my case it is not at all complaining as it is because the process is unconfined. > And I suspect that on a default Debian installation (Systemd instead of SysVinit), restarting unit or reloading configuration by a /etc/init.d command instead of systemctl might have undesired effects. I tried with systemctl(systemctl reload/restart apparmor) but that also didn't work. On Fri, Jul 30, 2021 at 3:24 PM Ratan Gupta <ratankgupt...@gmail.com> wrote: > Hi Team, > > > > Looking for your help. > > > > I have gone through the following link where the similar issue was asked. > > > > https://lists.debian.org/debian-user/2018/07/msg00542.html > > > > Issue: I made a profile for the application, and it is not getting > confined by the apparmor. > > > > What I did: > > > > 1) I wrote the following profile > > > > root@abc:~# cat /etc/apparmor.d/usr.bin.phosphor-network-snmpconf > > # Last Modified: Thu Jul 29 14:30:33 2021 > > #include <tunables/global> > > > > /usr/bin/phosphor-network-snmpconf flags=(complain) { > > #include <abstractions/base> > > > > /lib/x86_64-linux-gnu/ld-*.so mr, > > /usr/bin/phosphor-network-snmpconf mr, > > } > > > 2) Reload the apparmor profiles > > /etc/init.d/apparmor reload > > > 3) > > I ran the binary under complain mode through the following command. > > > > aa-complain /usr/bin/phosphor-network-snmpconf > > Setting /usr/bin/phosphor-network-snmpconf to complain mode. > > [ 875.716595] kauditd_printk_skb: 40 callbacks suppressed > > [ 875.716649] audit: type=1400 audit(1627637368.796:113): > apparmor="STATUS" operation="profile_replace" info="same as current > profile, skipping" profile="unconfined" > name="/usr/bin/phosphor-network-snmpconf" pid=815 comm="apparmor_parser" > > > > 4) > > Restart the snmp service which internally calls the > phosphor-network-snmpconf > > > > systemctl restart xyz.openbmc_project.Network.SNMP.service > > > > 4) How the above service file looks like > > > https://github.com/openbmc/openbmc/blob/1497c9c9c743277815d7b19f6112bf20c1e24c4f/meta-phosphor/recipes-phosphor/network/phosphor-snmp/xyz.openbmc_project.Network.SNMP.service > > > > 5) Output of aa-status as follows: > > ============================ > > root@abc:~# aa-status > > apparmor module is loaded. > > 48 profiles are loaded. > > 47 profiles are in enforce mode. > > /usr/lib/apache2/mpm-prefork/apache2 > > /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI > > /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT > > /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo > > apache2 > > apache2//DEFAULT_URI > > apache2//HANDLING_UNTRUSTED_INPUT > > apache2//phpsysinfo > > avahi-daemon > > dnsmasq > > dnsmasq//libvirt_leaseshelper > > dovecot > > dovecot-anvil > > dovecot-auth > > dovecot-config > > dovecot-deliver > > dovecot-dict > > dovecot-dovecot-auth > > dovecot-dovecot-lda > > dovecot-dovecot-lda//sendmail > > dovecot-imap > > dovecot-imap-login > > dovecot-lmtp > > dovecot-log > > dovecot-managesieve > > dovecot-managesieve-login > > dovecot-pop3 > > dovecot-pop3-login > > dovecot-script-login > > dovecot-ssl-params > > dovecot-stats > > identd > > klogd > > lsb_release > > mdnsd > > nmbd > > nscd > > ntpd > > php-fpm > > ping > > smbd > > smbldap-useradd > > smbldap-useradd///etc/init.d/nscd > > syslog-ng > > syslogd > > traceroute > > winbindd > > 1 profiles are in complain mode. > > /usr/bin/phosphor-network-snmpconf > > 0 profiles are in kill mode. > > 0 profiles are in unconfined mode. > > 1 processes have profiles defined. > > 0 processes are in enforce mode. > > 0 processes are in complain mode. > > 1 processes are unconfined but have a profile defined. > > /usr/bin/phosphor-network-snmpconf (825) > > 0 processes are in mixed mode. > > 0 processes are in kill mode. > > > > 7) Source code of snmp service : https://github.com/openbmc/phosphor-snmp > > > > Expectation was that when I run the SNMP service , it should throw the > DENIAL messages but I am not getting any DENIAL messages as the > process is unconfined. > > > > Can you please let me know where I am making the mistake. > > > > Ratan >
