change_hat kernel messages

WolfGrossi · December 17, 2010, 9:41pm

Greetings,

on a SuSE-11.3 (xen domU) I repeatedly notice the following messages:

Dec 17 19:30:01 MTW kernel: [22484.319192] type=1503 audit(1292610601.862:84): operation=“change_hat” info=“unconfined” error=-1 pid=22001
Dec 17 19:30:01 MTW kernel: [22484.319222] type=1503 audit(1292610601.862:85): operation=“change_hat” info=“unconfined” error=-1 pid=22001
Dec 17 19:45:01 MTW kernel: [23384.365597] type=1503 audit(1292611501.910:86): operation=“change_hat” info=“unconfined” error=-1 pid=22702
Dec 17 19:45:01 MTW kernel: [23384.365627] type=1503 audit(1292611501.910:87): operation=“change_hat” info=“unconfined” error=-1 pid=22702

Apparently runs hourly, but cold not find out what process.
Does anybody has a clue what this means?

Tnx for reading and hints.
Wolfl

jdmcdaniel3 · December 17, 2010, 11:50pm

Have you turned on AppAmor by chance? I found this interesting link.

2:change hat - Linux Man Pages Manual Documentation for Linux / Solaris / UNIX / BSD

Thank You,

WolfGrossi · December 19, 2010, 1:37pm

Tnx, removed apparmor

robin_listas · December 19, 2010, 3:50pm

On 2010-12-19 14:06, WolfGrossi wrote:
>
> Tnx, removed apparmor

That’s an important security component of linux…

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

phanisvara · December 19, 2010, 4:11pm

On Sun, 19 Dec 2010 20:20:06 +0530, Carlos E. R.
<robin_listas@no-mx.forums.opensuse.org> wrote:

> On 2010-12-19 14:06, WolfGrossi wrote:
>>
>> Tnx, removed apparmor
>
> That’s an important security component of linux…
>

how long has apparmor been around actually? i’ve tried it once, got into a
lot of problems configuring profiles, and gave it up again. IMO, for not
particularly sensitive installations, a firewall is secure enough. (must
say that i don’t own a credit card, not even a bank accout, so breaking
into my machine wouldn’t be very rewarding for the hacker, or threatening
for me.)

the other danger i’m aware of, that my machine might become part of a
bot-net, also doesn’t scare me very much, since i’m pretty aware of any
network activity going on: i have so little bandwidth that i have to guard
it carefully in order to keep the connection functional.

does everybody else here run apparmor or SElinux? those few times i’ve
seen it mentioned in forums or mailing lists, people were switching it off
because it was causing problems.

–
phani.

glistwan · December 19, 2010, 8:12pm

phanisvara:

On Sun, 19 Dec 2010 20:20:06 +0530, Carlos E. R.
<robin_listas@no-mx.forums.opensuse.org> wrote:

> On 2010-12-19 14:06, WolfGrossi wrote:
>>
>> Tnx, removed apparmor
>
> That’s an important security component of linux…
>

how long has apparmor been around actually? i’ve tried it once, got into a
lot of problems configuring profiles, and gave it up again. IMO, for not
particularly sensitive installations, a firewall is secure enough. (must
say that i don’t own a credit card, not even a bank accout, so breaking
into my machine wouldn’t be very rewarding for the hacker, or threatening
for me.)

the other danger i’m aware of, that my machine might become part of a
bot-net, also doesn’t scare me very much, since i’m pretty aware of any
network activity going on: i have so little bandwidth that i have to guard
it carefully in order to keep the connection functional.

does everybody else here run apparmor or SElinux? those few times i’ve
seen it mentioned in forums or mailing lists, people were switching it off
because it was causing problems.

–
phani.

I started a thread on apparmor http://forums.opensuse.org/english/get-help-here/applications/450422-apparmor-basics.html
Apparently there are people using it for average desktop. I have also enabled it myself however I still didn’t get to creating any profiles and I’m just using the default ones. Hopefully I will have some time to study it a bit further in the near future.

Best regards,
Greg

robin_listas · December 19, 2010, 8:38pm

On 2010-12-19 16:11, phanisvara wrote:
> On Sun, 19 Dec 2010 20:20:06 +0530, Carlos E. R. <> wrote:

> how long has apparmor been around actually?

not many years.

> i’ve tried it once, got into
> a lot of problems configuring profiles, and gave it up again. IMO, for
> not particularly sensitive installations, a firewall is secure enough.
> (must say that i don’t own a credit card, not even a bank accout, so
> breaking into my machine wouldn’t be very rewarding for the hacker, or
> threatening for me.)

You don’t normally need to configure profiles, they come already made those
we normally need.

> does everybody else here run apparmor or SElinux?

Selinux is a different matter, you are on your own preparing it.

> those few times i’ve
> seen it mentioned in forums or mailing lists, people were switching it
> off because it was causing problems.

It doesn’t cause any problem at all to me.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

robin_listas · December 19, 2010, 10:03pm

On 2010-12-19 20:36, glistwan wrote:
> I started a thread on apparmor
> ‘http://forums.opensuse.org/english/get-help-here/applications/450422-apparmor-basics.html’
> (http://tinyurl.com/3xm6sjp)

The second link does not work. It goes to
http://forums-opensuse.provo.novell.com/english/get-help-here/applications/…
which times out after some minutes, doesn’t work.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)