Unexpected Application Behavior with AppArmor Reject Messages

SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Desktop 10
 

Applications don't behave as expected.
There are AppArmor reject messages present in the log files, similar to:

type=APPARMOR msg=audit(1213658572.840:7): REJECTING r access to /dev/tty10 (syslog-ng(2327) profile /sbin/syslog-ng active /sbin/syslog-ng)

type=AVC msg=audit(1371631135.015:81): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/nscd" name="/etc/libnss_uidpool.conf" pid=10580 comm="nscd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 

AppArmor is a very powerful security feature for SUSE Linux Enterprise products. It can even restrict the root user if required. First, review the AppArmor messages in /var/log/audit/audit.log. Next, determine if the application behavior is directly related to AppArmor.
 

1. You will need to temporarily disable AppArmor (chkconfig boot.apparmor off)
2. Reboot the server
3. Retest your application for the unexpected behavior
4. Enable AppArmor (chkconfig boot.apparmor on)
5. Reboot the server

Regardless of whether the behavior is AppArmor related or not, you should run chkbin(8) against the application. Chkbin comes with the supportutils package.

If you notice odd application behavior or any other type of application problem, you should first check the reject messages in the log files to see if AppArmor is too closely constricting your application. To check reject messages, start YaST AppArmor and go to AppArmor Reports. Select View Archive and App Aud for the application audit report. You can filter dates and times to narrow down the specific periods when the unexpected application behavior occurred. You can also see the reject messages in the supportconfig(8)'s security-apparmor.txt file.

If you detect reject messages that indicate that your application or service is too closely restricted by AppArmor, update your profile to properly handle your use case of the application (refer to the Security Guide documentation for AppArmor for more details).

You should also run an RPM verification on the AppArmor profiles package. Supportconfig reports the verification results in security-apparmor.txt or you can run rpm -V apparmor-profiles to check yourself. If the profiles are damaged, consider reinstalling the AppArmor profiles RPM package.

When you receive a rejection, examine the access violation and determine if that event indicated a threat or was part of normal application behavior. Application-specific knowledge is required to make the determination. If the rejection represents normal application behavior, running aa-logprof at the command line or the Update Profile Wizard in AppArmor allows you to iterate through all reject messages. By selecting the one that matches the specific reject, you can automatically update your profile.

If the rejection is not part of normal application behavior, this access should be considered a possible intrusion attempt (that was prevented) and this notification should be passed to the person responsible for security within your organization.