Re: [apparmor] Too much noise
On 12/07/2017 02:00 PM, azu...@pobox.sk wrote: > Hi, > > i have this rule in my profile: > owner /etc/passwd r, > > Problem is, that application is running under lots of different UIDs and all > of them are trying to access /etc/passwd (which is not needed, only master > process, running under root, needs it). How to get rid of the noise in the > logs? I cannot do 'deny /etc/passwd r' as it will deny also root (master > process) to access /etc/passwd. > you can try an undocumented unsupported experimental feature, that will be supported in the future but in a different form. Add the rule deny other /etc/passwd r, this will deny access to tasks with uids that are not the owner of the file (fsuid != file uid), and the deny will quiet logging because it is a known denial. The other way is to use two profiles one for the master process and another for all the other processes that should not be accessing the file, but this can be inconvenient to set up. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] Too much noise
Hi, i have this rule in my profile: owner /etc/passwd r, Problem is, that application is running under lots of different UIDs and all of them are trying to access /etc/passwd (which is not needed, only master process, running under root, needs it). How to get rid of the noise in the logs? I cannot do 'deny /etc/passwd r' as it will deny also root (master process) to access /etc/passwd. azur -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [profile] netstat: cannot open /proc/net/dev (permission denied.) Limited output.
Hello, Am Mittwoch, 6. Dezember 2017, 22:20:41 CET schrieb Seth Arnold: > On Wed, Dec 06, 2017 at 07:14:05PM +, daniel curtis wrote: > > As we can see, there is a simple "DENIED" action referring to the > > {PROC} folder. What all of you thinks about adding something like > > this to the netstat profile? (Which one is a better choice? I would > > like to use the first rule, because it uses a new '@{pid}' type.) > I strongly recommend using: > > @{PROC}/@{pids}/net/dev r, The profile already allows reading a dozen files there, and I'd guess netstat is _the_ tool to read files in those directories. So, silly question - is there anything in @{PROC}/@{pids}/net/ that netstat should _not_ be allowed to read? (I'm not familiar with what all those files provide, so maybe there are some sensitive files netstat shouldn't be allowed to read.) If nothing in @{PROC}/@{pids}/net/ is more sensitive than what we already allow to read, what about @{PROC}/@{pids}/net/* r, or even @{PROC}/@{pids}/net/** r, ? Regards, Christian Boltz -- >du meinst die "persönliche Erfahrungen" der hier schreibenden, ja? >dann ist es gut, dass du hier nicht gefragt hast was du zum sortieren >deiner mails benutzen sollst. denn ansonsten wäre das wohl procmail. Hehe, 1:0 für Dich. [> Michael Meyer und Thorsten Haude in suse-linux] signature.asc Description: This is a digitally signed message part. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor