HI! I'm using uwsgi for starting WSGI Python apps.
uwsgi itself is started with a systemd unit which also mandates that an AppArmor profile is load for that unit.
Although I'm using pretty tight AppAmor profiles everything works.Now I'd like to minimize the (false-positive?) messages AppArmor writes to the audit service.
For example during start of the systemd unit the following line is written to audit log:
type=AVC msg=audit(1533736326.584:30): apparmor="DENIED" operation="exec" profile="web2ldap" name="/bin/bash" pid=1109 comm="uwsgi" requested_mask="x" denied_mask="x" fsuid=29990 ouid=0
Now I really wonder why /bin/bash is accessed at all. The login shell of this particular system account for the unit is /usr/sbin/nologin.
In AppArmor I could simply mask this log message completely. But I'd strongly prefer to see it in case an attacker trys to do something bad.
So anything I could tweak in uwsgi.ini to avoid that? Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ uWSGI mailing list uWSGI@lists.unbit.it http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
