Unexpected Application Behavior with AppArmor Reject Messages
This document (7006073) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Desktop 10
Situation
There are AppArmor reject messages present in the log files, similar to:
type=APPARMOR msg=audit(1213658572.840:7): REJECTING r access to /dev/tty10 (syslog-ng(2327) profile /sbin/syslog-ng active /sbin/syslog-ng)
type=AVC msg=audit(1371631135.015:81): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/nscd" name="/etc/libnss_uidpool.conf" pid=10580 comm="nscd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Resolution
- You will need to temporarily disable AppArmor (chkconfig boot.apparmor off)
- Reboot the server
- Retest your application for the unexpected behavior
- Enable AppArmor (chkconfig boot.apparmor on)
- Reboot the server
Regardless of whether the behavior is AppArmor related or not, you should run chkbin(8) against the application. Chkbin comes with the supportutils package.
If you notice odd application behavior or any other type of application problem, you should first check the reject messages in the log files to see if AppArmor is too closely constricting your application. To check reject messages, start YaST AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report. You can filter dates and times to narrow down the specific periods when the unexpected application behavior occurred. You can also see the reject messages in the supportconfig(8)'s security-apparmor.txt file.
If you detect reject messages that indicate that your application or service is too closely restricted by AppArmor, update your profile to properly handle your use case of the application (refer to the Security Guide documentation for AppArmor for more details).
You should also run an RPM verification on the AppArmor profiles package. Supportconfig reports the verification results in security-apparmor.txt or you can run rpm -V apparmor-profiles to check yourself. If the profiles are damaged, consider reinstalling the AppArmor profiles RPM package.
When you receive a rejection, examine the access violation and determine if that event indicated a threat or was part of normal application behavior. Application-specific knowledge is required to make the determination. If the rejection represents normal application behavior, running aa-logprof at the command line or the Update Profile Wizard in AppArmor allows you to iterate through all reject messages. By selecting the one that matches the specific reject, you can automatically update your profile.
If the rejection is not part of normal application behavior, this access should be considered a possible intrusion attempt (that was prevented) and this notification should be passed to the person responsible for security within your organization.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7006073
- Creation Date: 21-May-2010
- Modified Date:05-Mar-2021
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com