Jamie Strandboge:
> apparmor_parser -r ... actually allows to replace the profile for a running
> process. [...]
Thanks for the explanation!
> The man page is not at all clear on this point and that is a bug in
> the man page.
I've reported it as https://bugs.launchpad.net/apparmor/+bug/1608075
On Sat, 2016-07-30 at 14:28 +0200, intrigeri wrote:
> Hi,
>
> Guido Günther:
> >
> > so how can I find out why the access is still blocked although I added
> > an explicit allow line? I kind of suspect that reloading the profile
> > does not work but have nothing that supports this (reloading wit
Hi,
Guido Günther:
> so how can I find out why the access is still blocked although I added
> an explicit allow line? I kind of suspect that reloading the profile
> does not work but have nothing that supports this (reloading without
> cache, and in verbose mode all look good).
apparmor(7) reads:
Hi,
On Mon, Jun 06, 2016 at 01:21:36AM -0700, John Johansen wrote:
> On 06/05/2016 11:22 PM, Guido Günther wrote:
> > Hi Christian,
> >
> > Thanks a lot for your comments!
> >
> > On Mon, Jun 06, 2016 at 01:14:08AM +0200, Christian Boltz wrote:
> > [..snip..]
> >> You can enable the logging by ad
Control: retitle -1 Better document complain mode and debugging process
Control: severity -1 normal
Hi,
Guido Günther wrote (07 Jun 2016 05:58:56 GMT) :
> On Mon, Jun 06, 2016 at 12:47:08PM +0200, intrigeri wrote:
>> Guido, what do you think we should do about this
>> bug report now? Downgrade to
Hi,
On Mon, Jun 06, 2016 at 12:47:08PM +0200, intrigeri wrote:
> Control: tag -1 + upstream
> Control: tag -1 - moreinfo
>
> Hi,
>
> Guido Günther wrote (06 Jun 2016 06:33:45 GMT) :
> > It's "good enough" for debugging on a test system.
> > Incredibly helpful, thanks!
>
> Thanks upstream folks
Control: tag -1 + upstream
Control: tag -1 - moreinfo
Hi,
Guido Günther wrote (06 Jun 2016 06:33:45 GMT) :
> It's "good enough" for debugging on a test system.
> Incredibly helpful, thanks!
Thanks upstream folks for helping :) I'm also glad that the root cause
of the problem was identified and a
On 06/05/2016 11:22 PM, Guido Günther wrote:
> Hi Christian,
>
> Thanks a lot for your comments!
>
> On Mon, Jun 06, 2016 at 01:14:08AM +0200, Christian Boltz wrote:
> [..snip..]
>> You can enable the logging by adding the audit keyword, but the general
>> rule is not to log anything that is alr
On Sun, Jun 05, 2016 at 06:51:18PM -0700, John Johansen wrote:
[..snip..]
> With that said if you turn of debug mode apparmor will log a few extra
> messages to dmesg (not via the audit subsystem). This will let you see
> when environment scrubbing has been applied.
>
> echo 1 > /sys/module/appa
Hi Christian,
Thanks a lot for your comments!
On Mon, Jun 06, 2016 at 01:14:08AM +0200, Christian Boltz wrote:
[..snip..]
> You can enable the logging by adding the audit keyword, but the general
> rule is not to log anything that is already handled (allowed or denied)
> in the profile.
>
> >
On 06/05/2016 04:14 PM, Christian Boltz wrote:
> Hello,
>
> Am Sonntag, 5. Juni 2016, 13:34:19 CEST schrieb Guido Günther:
>> On Sat, Jun 04, 2016 at 06:38:46PM +0200, Christian Boltz wrote:
>>> deny rules are enforced even if you switch the profile to complain
>>> mode, and don't leave any log ev
Hello,
Am Sonntag, 5. Juni 2016, 13:34:19 CEST schrieb Guido Günther:
> On Sat, Jun 04, 2016 at 06:38:46PM +0200, Christian Boltz wrote:
> > deny rules are enforced even if you switch the profile to complain
> > mode, and don't leave any log events behind. You might want to
> > change them to"audi
Hi Christian,
On Sat, Jun 04, 2016 at 06:38:46PM +0200, Christian Boltz wrote:
> Hello,
>
> Am Samstag, 4. Juni 2016, 15:04:04 CEST schrieb Guido Günther:
> > Well, there are no DENIED messages - that's the puzzling part and the
> > reason for this bug. The should be a all also contain "audit" an
Hello,
Am Samstag, 4. Juni 2016, 15:04:04 CEST schrieb Guido Günther:
> Well, there are no DENIED messages - that's the puzzling part and the
> reason for this bug. The should be a all also contain "audit" and end
> up in dmesg so my grep expression should have caught them
Does the profile contai
Hi intrigeri,
On Sat, Jun 04, 2016 at 02:56:39PM +0200, intrigeri wrote:
[..snip..]
> >> To confirm this, we need:
> >>
> >> * the kernel / auditd logs from AppArmor, when the profile is in
> >>complain or enforce mode
>
> [... snipping logs about the parser load/etc. operations ...]
>
> Le
Hi Guido,
Guido Günther wrote (03 Jun 2016 13:29:05 GMT) :
> On Fri, Jun 03, 2016 at 02:51:12PM +0200, intrigeri wrote:
>> I can't tell for sure until I've seen the corresponding logs, but
>> I *guess* that what's happening is: setting the usr.sbin.libvirtd
>> profile to "complain" affects that pr
Hi intrigeri,
On Fri, Jun 03, 2016 at 02:51:12PM +0200, intrigeri wrote:
[..snip..]
> > As to my understanding complain mode shouldn't have any ill effects
> > therefore I'm filing this as important.
>
> I can't tell for sure until I've seen the corresponding logs, but
> I *guess* that what's happ
Control: tag -1 + moreinfo
Hi Guido,
Guido Günther wrote (03 Jun 2016 11:53:39 GMT) :
> I've been trying to debug why libvirt fails to start qemu:///session
> domains. Suspecting apparmor into the mix I did:
> $ aa-complain /usr/sbin/libvirtd
> $ virsh -c qemu:///session start sqs
>
Package: apparmor
Version: 2.10-4
Severity: important
Hi,
I've been trying to debug why libvirt fails to start qemu:///session
domains. Suspecting apparmor into the mix I did:
$ aa-complain /usr/sbin/libvirtd
$ virsh -c qemu:///session start sqs
error: Failed to start domain sqs
19 matches
Mail list logo
