Results 1 to 5 of 5

Thread: AppArmor - logfile messages - help understanding please

  1. #1

    Default AppArmor - logfile messages - help understanding please

    Hi,
    trying to understand just what the log messages from AppArmor are saying. I have Firefox in complain mode and I get these:
    kernel: [ 1880.786478] type=1400 audit(1401791953.689:5908): apparmor="ALLOWED" operation="exec" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}" name="/usr/lib64/firefox/plugin-container" pid=22076 comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7"

    kernel: [ 1880.813477] type=1400 audit(1401791953.716:5909): apparmor="ALLOWED" operation="open" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/firefox/libxul.so" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

    kernel: [ 1880.813527] type=1400 audit(1401791953.716:5910): apparmor="ALLOWED" operation="getattr" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/firefox/libxul.so" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

    kernel: [ 1880.813554] type=1400 audit(1401791953.716:5911): apparmor="ALLOWED" operation="file_mmap" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/firefox/libxul.so" pid=22076 comm="plugin-containe" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0

    kernel: [ 1880.813713] type=1400 audit(1401791953.716:5912): apparmor="ALLOWED" operation="open" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/etc/ld.so.cache" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

    kernel: [ 1880.813733] type=1400 audit(1401791953.716:5913): apparmor="ALLOWED" operation="getattr" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/etc/ld.so.cache" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

    kernel: [ 1880.813831] type=1400 audit(1401791953.716:5914): apparmor="ALLOWED" operation="open" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/libstdc++.so.6.0.18" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

    kernel: [ 1880.813857] type=1400 audit(1401791953.716:5915): apparmor="ALLOWED" operation="getattr" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/libstdc++.so.6.0.18" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

    kernel: [ 1880.813889] type=1400 audit(1401791953.716:5916): apparmor="ALLOWED" operation="file_mmap" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/libstdc++.so.6.0.18" pid=22076 comm="plugin-containe" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
    I take it that the "parent=20103" is the ID of the Firefox application. and the "name=xxxxxxx" is the thing that is causing the message event (and that this is what might need to be added to the profile), but what are:


    1. "pid=" which is a process ID, but of what?
    2. "comm=" which I guess is short for "command" but what is doing this command, or is it short for "communication"?
    3. "fsuid=" which is a user ID for the filesystem, but of what?
    4. "ouid=" ?


    thanks in advance
    nerderello

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: AppArmor - logfile messages - help understanding please

    On 2014-10-08 19:46, nerderello wrote:
    >
    > Hi,
    > trying to understand just what the log messages from AppArmor are
    > saying.


    man apparmor --> http://wiki.apparmor.net -->

    --> Documentation about the AppArmor security project -->
    http://wiki.apparmor.net/index.php/Documentation

    --> AppArmor on Suse
    http://activedoc.opensuse.org/book/o...security-guide



    > I have Firefox in complain mode and I get these:


    >> kernel: [ 1880.786478] type=1400 audit(1401791953.689:5908):
    >> apparmor="ALLOWED" operation="exec" parent=20103
    >> profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}"
    >> name="/usr/lib64/firefox/plugin-container" pid=22076
    >> comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000
    >> ouid=0 target="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7"



    A comment: When pasting here computer commands and such, please use a
    CODE BLOCK, so that the forum software doesn't do silly things like
    converting URLS to tiny urls or otherwise hide or alter the commands you
    entered. You get them by clicking on the '#' button in the forum editor.


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  3. #3

    Default Re: AppArmor - logfile messages - help understanding please

    Robin, thanks for the reply. I've taken note of the forum editing point (will use # button in the future).

    Thanks for the links, but I'd already been to all of them, plus a whole load that are really only for Ubuntu users. Sadly none of them really explain what is what in the log messages. The closest I got was for Ubuntu and they look similar but different from the opensuse ones (I'm an Ubuntu refugee and had just about gotten on top of AppArmor in Ubuntu, but have noticed some differences and was trying to get some leads on these).

    thanks again

    Nerderello

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: AppArmor - logfile messages - help understanding please

    On 2014-10-11 19:06, nerderello wrote:
    >
    > Robin, thanks for the reply. I've taken note of the forum editing point
    > (will use # button in the future).
    >
    > Thanks for the links, but I'd already been to all of them, plus a whole
    > load that are really only for Ubuntu users.


    At least one is the openSUSE manual.

    > Sadly none of them really
    > explain what is what in the log messages. The closest I got was for
    > Ubuntu and they look similar but different from the opensuse ones (I'm
    > an Ubuntu refugee and had just about gotten on top of AppArmor in
    > Ubuntu, but have noticed some differences and was trying to get some
    > leads on these).


    Mmm... what is your goal? I mean, if you intend to adjust a profile,
    there are easier ways. Like using aa-logprof.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  5. #5
    Join Date
    Nov 2013
    Location
    Canadiana
    Posts
    461

    Default Re: AppArmor - logfile messages - help understanding please

    On 10/11/2014 01:06 PM, nerderello wrote:
    >
    > Robin, thanks for the reply. I've taken note of the forum editing point
    > (will use # button in the future).
    >
    > Thanks for the links, but I'd already been to all of them, plus a whole
    > load that are really only for Ubuntu users. Sadly none of them really
    > explain what is what in the log messages. The closest I got was for
    > Ubuntu and they look similar but different from the opensuse ones (I'm
    > an Ubuntu refugee and had just about gotten on top of AppArmor in
    > Ubuntu, but have noticed some differences and was trying to get some
    > leads on these).
    >
    > thanks again
    >
    > Nerderello
    >
    >


    You can ask aa related questions in the IRC channel (server:
    irc.oftc.net, channel: #apparmor)

    --
    openSUSE Factory 64 bit
    KDE 4.14.0

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •