You are here: start / fuss / apparmor
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


Previous revision
Last revision
fuss:apparmor [2021/11/24 11:45] office
Line 1: Line 1:
 +====== Sending Messages to File ======
 +
 +Add an ''rsyslog'' configuration file at ''/etc/rsyslog.d/apparmor.conf'' containing the following:
 +<code>
 +# Log kernel generated apparmor log messages to file
 +:msg,contains,"apparmor" /var/log/apparmor.log
 +
 +# Uncomment the following to stop logging anything that matches the last rule.
 +# Doing this will stop logging kernel generated apparmor log messages to the file
 +# normally containing kern.* messages (eg, /var/log/kern.log)
 +& ~
 +</code>
 +
 +and then restart ''rsyslog''. The configuration will redirect all messages that match ''apparmor'' and send them to ''/var/log/apparmor.log''.
 +
 +Next, create a file at ''/etc/logrotate.d/apparmor'' with the following contents:
 +<code>
 +/var/log/apparmor.log {
 +    rotate 4
 +    weekly
 +    compress
 +    missingok
 +}
 +
 +</code>
 +
 +in order to make sure that ''/var/log/apparmor.log'' does not get too large and gets rotated weekly.
 +
 +====== Setting Application to Warn Only ======
 +
 +When running apparmor on a Linux distribution with packages that do not properly provide a profile for apparmor, some binaries will fail to launch or would otherwise generate errors. This can be observed in the kernel logs. For instance, the following message is displayed when the i2p daemon is started:
 +<code>
 +[ 2740.263615] audit: type=1400 audit(1637724187.039:18): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_i2p" pid=9637 comm="(wrapper)"
 +</code>
 +and vaguely means that an operation ''change_onexec'' was denied when the application was started by the apparmor profile associated with the application.
 +
 +Fixing the apparmor profile itself is not a good solution in case there are package updates such that a temporary fix is to set the application to warn only yet still continue to run. This can be done, on Debian, for instance, by installing the ''apparmor-utils'' package:
 +<code bash>
 +apt-get install apparmor-utils
 +</code>
 +
 +and then setting the offending application to warn only:
 +<code bash>
 +aa-complain system_i2p
 +</code>
 +where:
 +  * ''system_i2p'' is the application that was previously denied access (as per the kernel log line).
 +
 +
  
fuss/apparmor.txt · Last modified: 2022/04/19 08:28 by 127.0.0.1
You are here: start / fuss / apparmor

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.