touch-packages team mailing list archive

Thread
Date

[Bug 974165] Re: logprof/genprof skip logmessages concerning unlink

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Wed, 08 Oct 2014 22:57:51 -0000
Reply-to: Bug 974165 <974165@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The perl tools have been deprecated.

** Changed in: apparmor (Ubuntu)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/974165

Title:
  logprof/genprof skip logmessages concerning unlink

Status in “apparmor” package in Ubuntu:
  Won't Fix

Bug description:
  Applies to: Ubuntu 10.04 with 
  Linux station1 2.6.32-40-generic #87-Ubuntu SMP Tue Mar 6 00:56:56 UTC 2012 x86_64 GNU/Linux
  # apt-cache policy apparmor
  apparmor:
    Installiert: 2.5.1-0ubuntu0.10.04.3
    Kandidat: 2.5.1-0ubuntu0.10.04.3

  
  Logprof/Genprof may be used to generate new apparmor profiles. 
  Logprof/Genprof read /var/log/audit/audit.log or /var/log/syslog and convert AppArmor-logs into AppArmor rules for the profiles.

  Logprof/Genprof ignore some AppArmor messages and the resulting profiles are therefore missing some rules!
  In our tests this happened with messages concerning the unlinking of file sockets and pid-files. This can easily be reproduced by removing the supplied mysqld-profile and recreating it from scratch with genprof /usr/sbin/mysqld.
  The following message in the log files is ignored:
  type=APPARMOR_DENIED msg=audit(1333625359.497:1157):  operation="unlink" pid=3323 parent=1 profile="/usr/sbin/mysqld" requested_mask="d::" denied_mask="d::" fsuid=116 ouid=116 name="/var/run/mysqld/mysqld.sock"

  Running logprof on the audit-log does not add the rule either:
  # logprof /usr/sbin/mysqld 
  Reading log entries from /var/log/audit/audit.log.
  Updating AppArmor profiles in /etc/apparmor.d.

  
  Another example is Rsyslogd. Create a profile from scratch and the unlinking the pid file is not honored:
  type=APPARMOR_DENIED msg=audit(1333626051.867:1283):  operation="unlink" pid=4984 parent=1 profile="/usr/sbin/rsyslogd" requested_mask="::d" denied_mask="::d" fsuid=101 ouid=0 name="/var/run/rsyslogd.pid"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/974165/+subscriptions