Il 08/08/2018 16:17, Michael Ströder ha scritto:
HI!
I'm using uwsgi for starting WSGI Python apps.
uwsgi itself is started with a systemd unit which also mandates that an AppArmor
profile is load for that unit.
Although I'm using pretty tight AppAmor profiles everything works.
Now I'd like to minimize the (false-positive?) messages AppArmor writes to the
audit service.
For example during start of the systemd unit the following line is written to
audit log:
type=AVC msg=audit(1533736326.584:30): apparmor="DENIED" operation="exec"
profile="web2ldap" name="/bin/bash" pid=1109 comm="uwsgi" requested_mask="x"
denied_mask="x" fsuid=29990 ouid=0
Now I really wonder why /bin/bash is accessed at all. The login shell of this
particular system account for the unit is /usr/sbin/nologin.
You should probably ask the application developers.
--
Riccardo Magliocchetti
@rmistaken
http://menodizero.it
_______________________________________________
uWSGI mailing list
uWSGI@lists.unbit.it
http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi