Hi Team,
Looking for your help. I have gone through the following link where the similar issue was asked. https://lists.debian.org/debian-user/2018/07/msg00542.html Issue: I made a profile for the application, and it is not getting confined by the apparmor. What I did: 1) I wrote the following profile root@abc:~# cat /etc/apparmor.d/usr.bin.phosphor-network-snmpconf # Last Modified: Thu Jul 29 14:30:33 2021 #include <tunables/global> /usr/bin/phosphor-network-snmpconf flags=(complain) { #include <abstractions/base> /lib/x86_64-linux-gnu/ld-*.so mr, /usr/bin/phosphor-network-snmpconf mr, } 2) Reload the apparmor profiles /etc/init.d/apparmor reload 3) I ran the binary under complain mode through the following command. aa-complain /usr/bin/phosphor-network-snmpconf Setting /usr/bin/phosphor-network-snmpconf to complain mode. [ 875.716595] kauditd_printk_skb: 40 callbacks suppressed [ 875.716649] audit: type=1400 audit(1627637368.796:113): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/bin/phosphor-network-snmpconf" pid=815 comm="apparmor_parser" 4) Restart the snmp service which internally calls the phosphor-network-snmpconf systemctl restart xyz.openbmc_project.Network.SNMP.service 4) How the above service file looks like https://github.com/openbmc/openbmc/blob/1497c9c9c743277815d7b19f6112bf20c1e24c4f/meta-phosphor/recipes-phosphor/network/phosphor-snmp/xyz.openbmc_project.Network.SNMP.service 5) Output of aa-status as follows: ============================ root@abc:~# aa-status apparmor module is loaded. 48 profiles are loaded. 47 profiles are in enforce mode. /usr/lib/apache2/mpm-prefork/apache2 /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo apache2 apache2//DEFAULT_URI apache2//HANDLING_UNTRUSTED_INPUT apache2//phpsysinfo avahi-daemon dnsmasq dnsmasq//libvirt_leaseshelper dovecot dovecot-anvil dovecot-auth dovecot-config dovecot-deliver dovecot-dict dovecot-dovecot-auth dovecot-dovecot-lda dovecot-dovecot-lda//sendmail dovecot-imap dovecot-imap-login dovecot-lmtp dovecot-log dovecot-managesieve dovecot-managesieve-login dovecot-pop3 dovecot-pop3-login dovecot-script-login dovecot-ssl-params dovecot-stats identd klogd lsb_release mdnsd nmbd nscd ntpd php-fpm ping smbd smbldap-useradd smbldap-useradd///etc/init.d/nscd syslog-ng syslogd traceroute winbindd 1 profiles are in complain mode. /usr/bin/phosphor-network-snmpconf 0 profiles are in kill mode. 0 profiles are in unconfined mode. 1 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 1 processes are unconfined but have a profile defined. /usr/bin/phosphor-network-snmpconf (825) 0 processes are in mixed mode. 0 processes are in kill mode. 7) Source code of snmp service : https://github.com/openbmc/phosphor-snmp Expectation was that when I run the SNMP service , it should throw the DENIAL messages but I am not getting any DENIAL messages as the process is unconfined. Can you please let me know where I am making the mistake. Ratan
