On 8/8/18 4:23 PM, Riccardo Magliocchetti wrote:
Il 08/08/2018 16:17, Michael Ströder ha scritto:HI!I'm using uwsgi for starting WSGI Python apps.uwsgi itself is started with a systemd unit which also mandates that an AppArmor profile is load for that unit.Although I'm using pretty tight AppAmor profiles everything works.Now I'd like to minimize the (false-positive?) messages AppArmor writes to the audit service.For example during start of the systemd unit the following line is written to audit log:type=AVC msg=audit(1533736326.584:30): apparmor="DENIED" operation="exec" profile="web2ldap" name="/bin/bash" pid=1109 comm="uwsgi" requested_mask="x" denied_mask="x" fsuid=29990 ouid=0Now I really wonder why /bin/bash is accessed at all. The login shell of this particular system account for the unit is /usr/sbin/nologin.You should probably ask the application developers.
I asked my application developer (me) multiple times. ;-) He insists there's no invocation of /bin/bash in the application. Another possibility could be systemd doing "something".But other services like Apache or OpenLDAP's slapd are also started via systemd like this (but obviously without uwsgi involved) and they don't invoke /bin/bash.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ uWSGI mailing list [email protected] http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
