Re: [apparmor] [PATCH 1/8] utils: Improve error messages when profiles/parser is not found

Hello, Am Mittwoch, 8. Februar 2017, 22:01:38 CET schrieb Tyler Hicks: > When aa.py is imported, it looks for a set of profiles and it also > looks for the parser. Both of these paths are configured by > logprof.conf but it isn't always obvious which logprof.conf file was > used and, therefore, it

Re: [apparmor] [PATCH 2/8] utils: Update the logprof.conf in the test dir to point to in-tree paths

Hello, Am Mittwoch, 8. Februar 2017, 16:20:38 CET schrieb Seth Arnold: > On Wed, Feb 08, 2017 at 10:01:39PM +, Tyler Hicks wrote: > > The utils tests should make use of the logprof.conf that resides in > > utils/test/ when testing against the in-tree parser and profiles. > > When testing again

Re: [apparmor] [PATCH 3/8] utils: Add confdir env variable to aa.py for in-tree testing

On 02/08/2017 06:00 PM, Seth Arnold wrote: > On Wed, Feb 08, 2017 at 10:01:40PM +, Tyler Hicks wrote: >> --- a/utils/apparmor/aa.py >> +++ b/utils/apparmor/aa.py >> @@ -73,7 +73,7 @@ _ = init_translation() >> # Setup logging incase of debugging is enabled >> debug_logger = DebugLogger('aa') >

Re: [apparmor] [PATCH 8/8] utils: Set parser executable path according to USE_SYSTEM make variable

On 02/08/2017 06:23 PM, Seth Arnold wrote: > On Wed, Feb 08, 2017 at 10:01:45PM +, Tyler Hicks wrote: >> if USE_SYSTEM is not set, the utils make check target will instruct >> test-aa-easyprof.py to provide the path of the in-tree parser executable >> to aa-easyprof. >> >> If USE_SYSTEM is set,

[apparmor] [profile] lightdm-guest-session: "DENIED"; "mount" and "open" operation, gvfs-fuse-daemo and "/proc/*/net/arp" issue.

Hi I'd noticed, that after login as a guest and after taking some typical operations, such as, web browsing with newest Firefox 51.0.1 release etc., system log files - for example - '/var/log/kern.log' and '/var/log/syslog' contains "DENIED" entries. Here they are: * /var/log/kern.log file: Feb

Re: [apparmor] [PATCH 3/8] utils: Add confdir env variable to aa.py for in-tree testing

On Thu, Feb 09, 2017 at 10:11:18AM -0600, Tyler Hicks wrote: > Good catch! I'll change the line to: > > CONFDIR = os.getenv('APPARMOR_PY_CONFDIR') or '/etc/apparmor' > > Let me know if you'd like me to send a v2 of the patch. If nothing else needed changes, no need. Acked-by: Seth Arnold Than

Re: [apparmor] [PATCH 8/8] utils: Set parser executable path according to USE_SYSTEM make variable

On Thu, Feb 09, 2017 at 10:18:01AM -0600, Tyler Hicks wrote: > > This appears to suffer a similar problem: > > > >> +# Check __AA_PARSER, which may be set by the Makefile, to see if > >> +# we should use a non-default apparmor_parser path to verify > >> +# policy > >> +

Re: [apparmor] [profile] lightdm-guest-session: "DENIED"; "mount" and "open" operation, gvfs-fuse-daemo and "/proc/*/net/arp" issue.

On Thu, Feb 09, 2017 at 05:44:53PM +0100, daniel curtis wrote: > audit(1486652418.489:50): apparmor="DENIED" operation="mount" parent=1 > profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" > name="/tmp/guest-jETKy5/.gvfs/" pid=3025 comm="gvfs-fuse-daemo" > fstype="fuse.gvfs-fuse-daemo

[apparmor] [profile] lightdm-guest-session: "DENIED"; "mount" and "open" operation, gvfs-fuse-daemo and "/proc/*/net/arp" issue.

Hi Seth In my case, the use of the guest account is not something that happen very often and if it's already happening then it does not takes too long; I think, less than an hour. It's good to know, that it's nothing bad (I mean log entries etc.) and can be silenced by adding "deny" to these rules

Re: [apparmor] [profile] lightdm-guest-session: "DENIED"; "mount" and "open" operation, gvfs-fuse-daemo and "/proc/*/net/arp" issue.

On Thu, Feb 09, 2017 at 09:36:58PM +0100, daniel curtis wrote: > Of course, you're thinking about the > "/etc/apparmor.d/lightdm-guest-session" file, right? If I decide to silent > one of these messages, I should edit mentioned profile and add, for > example, something like: > > deny /proc/[0-9]*/