SUSE Support

Here When You Need Us

Unexpected Application Behavior with AppArmor Reject Messages

This document (7006073) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Desktop 10
 

Situation

Applications don't behave as expected.
There are AppArmor reject messages present in the log files, similar to:

type=APPARMOR msg=audit(1213658572.840:7): REJECTING r access to /dev/tty10 (syslog-ng(2327) profile /sbin/syslog-ng active /sbin/syslog-ng)

type=AVC msg=audit(1371631135.015:81): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/nscd" name="/etc/libnss_uidpool.conf" pid=10580 comm="nscd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

 

Resolution

AppArmor is a very powerful security feature for SUSE Linux Enterprise products. It can even restrict the root user if required. First, review the AppArmor messages in /var/log/audit/audit.log. Next, determine if the application behavior is directly related to AppArmor.
 
  1. You will need to temporarily disable AppArmor (chkconfig boot.apparmor off)
  2. Reboot the server
  3. Retest your application for the unexpected behavior
  4. Enable AppArmor (chkconfig boot.apparmor on)
  5. Reboot the server

Regardless of whether the behavior is AppArmor related or not, you should run chkbin(8) against the application. Chkbin comes with the supportutils package.

If you notice odd application behavior or any other type of application problem, you should first check the reject messages in the log files to see if AppArmor is too closely constricting your application. To check reject messages, start YaST AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report. You can filter dates and times to narrow down the specific periods when the unexpected application behavior occurred. You can also see the reject messages in the supportconfig(8)'s security-apparmor.txt file.

If you detect reject messages that indicate that your application or service is too closely restricted by AppArmor, update your profile to properly handle your use case of the application (refer to the Security Guide documentation for AppArmor for more details).

You should also run an RPM verification on the AppArmor profiles package. Supportconfig reports the verification results in security-apparmor.txt or you can run rpm -V apparmor-profiles to check yourself. If the profiles are damaged, consider reinstalling the AppArmor profiles RPM package.

When you receive a rejection, examine the access violation and determine if that event indicated a threat or was part of normal application behavior. Application-specific knowledge is required to make the determination. If the rejection represents normal application behavior, running aa-logprof at the command line or the Update Profile Wizard in AppArmor allows you to iterate through all reject messages. By selecting the one that matches the specific reject, you can automatically update your profile.

If the rejection is not part of normal application behavior, this access should be considered a possible intrusion attempt (that was prevented) and this notification should be passed to the person responsible for security within your organization.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7006073
  • Creation Date: 21-May-2010
  • Modified Date:05-Mar-2021
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.