AppArmor does not currently cache denials except an extremely limited dedup for capabilities. Currently apparmor is relying on the audit subsystems rate limiting for it logging which you have rightly noted is insufficient.
AppArmor will continue to report a denial for the error until the profile is reloaded. genprof/logprof should do this when you save but I am pretty sure that is not happening in this case, given the other errors you are seeing. You can manually reload the profile by doing sudo apparmor_parser -r /path/to/profile_name A better apparmor specific dedup cache is in development but it won't land upstream until the 5.7 or 5.8 kernels. As for the permission error, I am not sure what is going on but it appears that part of the problem is that the tools are not configured correctly. They are looking /etc/apparmor.d and not finding what they are looking for > Profile for /etc/apparmor.d/abstractions not found, skipping > Profile for /etc/apparmor.d/apache2.d not found, skipping > Setting /etc/apparmor.d/bin.ping to complain mode. > Profile for /etc/apparmor.d/cache not found, skipping > Profile for /etc/apparmor.d/disable not found, skipping I know debian has the cache configured to /var/cache/apparmor so looking in /etc/apparmor.d for the cache is not right. The failure to create the tmp file as root is interesting. How is your /etc/ mounted? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1865450 Title: PermissionError for AppArmor Profiles i.e., SSH Status in apparmor package in Ubuntu: New Bug description: I have created an AppArmor profile for SSH. The profile is created successfully but each time I run aa-logprof it gives PermissionError: [Errno 13] An example of the error: <pre>Traceback (most recent call last): File "/usr/sbin/aa-enforce", line 35, in <module> tool.cmd_enforce() File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 150, in cmd_enforce apparmor.set_enforce(profile, program) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 293, in set_enforce change_profile_flags(filename, program, 'complain', False) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 704, in change_profile_flags set_profile_flags(filename, program, newflags) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 753, in set_profile_flags os.rename(temp_file.name, prof_filename) PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/usr.sbin.tcpdumpwvx1h0xl~' -> '/etc/apparmor.d/usr.sbin.tcpdump' </pre> Please consider reporting a bug at https://bugs.launchpad.net/apparmor/ and attach this file. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Traceback (most recent call last): File "/usr/sbin/aa-logprof", line 50, in <module> apparmor.do_logprof_pass(logmark) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1824, in do_logprof_pass save_profiles() File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1921, in save_profiles write_profile_ui_feedback(profile_name) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3404, in write_profile_ui_feedback write_profile(profile) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3413, in write_profile newprof = tempfile.NamedTemporaryFile('w', suffix='~', delete=False, dir=profile_dir) File "/usr/lib/python3.5/tempfile.py", line 688, in NamedTemporaryFile (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type) File "/usr/lib/python3.5/tempfile.py", line 399, in _mkstemp_inner fd = _os.open(file, flags, 0o600) PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/tmpujtge2jq~' An unexpected error occurred! For details, see /tmp/apparmor-bug report-5qnjyx3t.txt Please consider reporting a bug at https://bugs.launchpad.net/apparmor/ and attach this file. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ root@protegrity-framework314:/var/www# aa-complain /etc/apparmor.d/* Profile for /etc/apparmor.d/abstractions not found, skipping Profile for /etc/apparmor.d/apache2.d not found, skipping Setting /etc/apparmor.d/bin.ping to complain mode. Profile for /etc/apparmor.d/cache not found, skipping Profile for /etc/apparmor.d/disable not found, skipping Setting /etc/apparmor.d/etc.opt.Cluster.cluster_config.status.xml to complain mode. Setting /etc/apparmor.d/etc.opt.Cluster.cluster_config.xml to complain mode. Traceback (most recent call last): File "/usr/sbin/aa-complain", line 35, in <module> tool.cmd_complain() File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 165, in cmd_complain apparmor.set_complain(profile, program) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 286, in set_complain change_profile_flags(filename, program, 'complain', True) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 704, in change_profile_flags set_profile_flags(filename, program, newflags) File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 720, in set_profile_flags temp_file = tempfile.NamedTemporaryFile('w', prefix=prof_filename, suffix='~', delete=False, dir=profile_dir) File "/usr/lib/python3.5/tempfile.py", line 688, in NamedTemporaryFile (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type) File "/usr/lib/python3.5/tempfile.py", line 399, in _mkstemp_inner fd = _os.open(file, flags, 0o600) PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/etc.opt.Cluster.cluster_config.xml7m7t4rvb~' An unexpected error occurred! For details, see /tmp/apparmor-bugreport-oe_mo879.txt Please consider reporting a bug at https://bugs.launchpad.net/apparmor/ and attach this file. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Secondly, once I accept this denial, AppArmor repeatedly gives similar denials for almost every profile. I am using a security product and running it on Debian 9. root@protegrity:/var/www# cat /etc/debian_version 9.9 I expect that these denials should not occur repeatedly. Please do check. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1865450/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
