Hello, Am Sonntag, 5. Juni 2016, 13:34:19 CEST schrieb Guido Günther: > On Sat, Jun 04, 2016 at 06:38:46PM +0200, Christian Boltz wrote: > > deny rules are enforced even if you switch the profile to complain > > mode, and don't leave any log events behind. You might want to > > change them to"audit deny" temporarily to get log events (with > > AUDIT). > > I did not know. Thanks! IMHO this needs to be mentioned in the > aa-complain manpage to fulfill the "no PhD in computer science needed > for" promise.
Good point. I just commited an updated manpage upstream (will be in 2.11, 2.10.2 and 2.9.4 whenever they get released). > The issue turned out to be environment scrubbing: > > https://www.redhat.com/archives/libvir-list/2016-June/msg00117.html > > but I think the issue is still valid: getting an idea what gets > dropped to the floor is too hard atm. With complain mode I'd exepct: > > * denials logged by default The whole point of deny rules is to silence the logging (except if they also have the audit keyword). You can enable the logging by adding the audit keyword, but the general rule is not to log anything that is already handled (allowed or denied) in the profile. > * a way to audit calls to subprocesses indicating whether the > environment was scrubbed or not You'll get this information by reading the profile ;-) It already had "/usr/sbin/* PUx" [1] which also allowed /usr/sbin/virtlogd - but with environment scrubbing. I'm CC'ing another upstream developer, but I wouldn't be surprised if he tells you the same ;-) @John: Do you have a different opinion on Guido's points? > * other stuff I might not even know about yet like DBus denials … Actually I can't tell you too much about DBus because only the Ubuntu kernel has DBus support for AppArmor (it's not upstreamed yet), and I'm using openSUSE ;-) Regards, Christian Boltz [1] I'm not sure if this rule (and the other broad PUx rules) are a good idea [2], but a) I don't know libvirtd good enough to judge on it and b) that's a totally different topic ;-) [2] These PUx rules allow to execute _all_ programs, and most of them unconfined (except if a profile for this program exists). I slightly ;-) doubt libvirtd needs to execute all of them... -- [bugzilla is] being as co-operative as a 2 legged donkey pulling a 10 ton tractor under attack by an army of bees [Richard Brown in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
