[Openstack] Apparmor profile for dnsmasq

Mon, 13 Jan 2014 04:59:41 -0800 

Hi all,

would you please share a valid Apparmor profile for dnsmasq (Ubuntu), if you 
have one, or a good reference about this topic in openStack?


I tried to use the default profile provided by Canonical, but it still 
complains with some DENIED on Neutron node (Grizzly 2013.1.2), for examples:

Jan 13 06:25:19 neutron1 kernel: [2301400.755895] type=1400 
audit(1389594319.479:124798688): apparmor="DENIED" operation="open" 
parent=19108 profile="/usr/sbin/dnsmasq" name="/proc
/9463/mounts" pid=9463 comm="python" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0

Jan 13 06:25:19 neutron1 kernel: [2301400.757665] type=1400 
audit(1389594319.483:124798689): apparmor="DENIED" operation="exec" parent=9473 
profile="/usr/sbin/dnsmasq" name="/sbin/
ldconfig" pid=9476 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Jan 13 06:25:19 neutron1 kernel: [2301400.758668] type=1400 
audit(1389594319.483:124798693): apparmor="DENIED" operation="mknod" 
parent=19108 profile="/usr/sbin/dnsmasq" name="/tmp/RI6kSv" pid=9463 
comm="python" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Jan 13 06:25:19 neutron1 kernel: [2301400.758737] type=1400 
audit(1389594319.483:124798694): apparmor="DENIED" operation="mknod" 
parent=19108 profile="/usr/sbin/dnsmasq" name="/var/tmp/bXIlha" pid=9463 
comm="python" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Jan 13 06:25:19 neutron1 kernel: [2301400.758809] type=1400 
audit(1389594319.483:124798695): apparmor="DENIED" operation="mknod" 
parent=19108 profile="/usr/sbin/dnsmasq" name="/lens9X" pid=9463 comm="python" 
requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Jan 13 06:25:19 neutron1 kernel: [2301400.758995] type=1400 
audit(1389594319.483:124798696): apparmor="DENIED" operation="mknod" 
parent=11094 profile="/usr/sbin/dnsmasq" name="/tmp/0XF3vE" pid=9462 
comm="python" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Many thanks
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to