[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apparmor-general
Subject:    [Apparmor-general] Re: genprof with sshd, sd-event-dispatch.pl
From:       jmichael () suse ! de (jesse michael)
Date:       2006-03-24 20:05:21
Message-ID: 20060325030210.GA6271 () suse ! de
[Download RAW message or body]

On Fri, Mar 24, 2006 at 06:28:12PM -0800, Dominic Reynolds wrote:
> I think that the problem you are seeing may be related to an intended 
> feature of apparmor which disables creating a distinct profile for 
> certain programs (ie. normally you don't want to create a profile for 
> bash as getting a completed profile for bash that meets all uses is very 
> difficult) so genprof automatically chooses the mode for you (for bash 
> it probably includes ix perms). This feature is controlled by the file 
> /etc/apparmor/logprof.conf - look under the [qualifers] section.

Actually, the entries in logprof.conf restrict which options are allowed
when chosing an execution qualifier, but it still asks for the execute
to be explictly allowed.  By default, we allow ix and ux permission when
things call bash, but not px to try to avoid breaking the system 
accidentally.

A system-wide bash profile can definitely be useful in certain specific 
cases, but it's generally very site-specific and it's fairly easy to
lock yourself out of the system that way, so we tried to set up the 
defaults with that in mind.

> Are you seeing an entry for bash in the resulting profile?
> 
> Can you send the resulting profile that you created? 

If there isn't an existing /bin/bash (or equivalent glob) entry in the 
profile, I'd definitely like to see the profile and the log file containing
the entries it's parsing.

Thanks.

[prev in list] [next in list] [prev in thread] [next in thread]