Hi,
trying to understand just what the log messages from AppArmor are saying. I have Firefox in complain mode and I get these:
kernel: [ 1880.786478] type=1400 audit(1401791953.689:5908): apparmor="ALLOWED" operation="exec" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}" name="/usr/lib64/firefox/plugin-container" pid=22076 comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7"
kernel: [ 1880.813477] type=1400 audit(1401791953.716:5909): apparmor="ALLOWED" operation="open" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/firefox/libxul.so" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813527] type=1400 audit(1401791953.716:5910): apparmor="ALLOWED" operation="getattr" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/firefox/libxul.so" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813554] type=1400 audit(1401791953.716:5911): apparmor="ALLOWED" operation="file_mmap" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/firefox/libxul.so" pid=22076 comm="plugin-containe" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
kernel: [ 1880.813713] type=1400 audit(1401791953.716:5912): apparmor="ALLOWED" operation="open" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/etc/ld.so.cache" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813733] type=1400 audit(1401791953.716:5913): apparmor="ALLOWED" operation="getattr" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/etc/ld.so.cache" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813831] type=1400 audit(1401791953.716:5914): apparmor="ALLOWED" operation="open" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/libstdc++.so.6.0.18" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813857] type=1400 audit(1401791953.716:5915): apparmor="ALLOWED" operation="getattr" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/libstdc++.so.6.0.18" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813889] type=1400 audit(1401791953.716:5916): apparmor="ALLOWED" operation="file_mmap" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/libstdc++.so.6.0.18" pid=22076 comm="plugin-containe" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
I take it that the "parent=20103" is the ID of the Firefox application. and the "name=xxxxxxx" is the thing that is causing the message event (and that this is what might need to be added to the profile), but what are:
thanks in advance
nerderello
trying to understand just what the log messages from AppArmor are saying. I have Firefox in complain mode and I get these:
Quote:
kernel: [ 1880.786478] type=1400 audit(1401791953.689:5908): apparmor="ALLOWED" operation="exec" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}" name="/usr/lib64/firefox/plugin-container" pid=22076 comm="Gecko_IOThread" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7"
kernel: [ 1880.813477] type=1400 audit(1401791953.716:5909): apparmor="ALLOWED" operation="open" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/firefox/libxul.so" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813527] type=1400 audit(1401791953.716:5910): apparmor="ALLOWED" operation="getattr" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/firefox/libxul.so" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813554] type=1400 audit(1401791953.716:5911): apparmor="ALLOWED" operation="file_mmap" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/firefox/libxul.so" pid=22076 comm="plugin-containe" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
kernel: [ 1880.813713] type=1400 audit(1401791953.716:5912): apparmor="ALLOWED" operation="open" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/etc/ld.so.cache" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813733] type=1400 audit(1401791953.716:5913): apparmor="ALLOWED" operation="getattr" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/etc/ld.so.cache" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813831] type=1400 audit(1401791953.716:5914): apparmor="ALLOWED" operation="open" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/libstdc++.so.6.0.18" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813857] type=1400 audit(1401791953.716:5915): apparmor="ALLOWED" operation="getattr" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/libstdc++.so.6.0.18" pid=22076 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: [ 1880.813889] type=1400 audit(1401791953.716:5916): apparmor="ALLOWED" operation="file_mmap" parent=20103 profile="/usr/lib64/firefox{,-[0-9]*}/firefox{,*[^s][^h]}//null-7" name="/usr/lib64/libstdc++.so.6.0.18" pid=22076 comm="plugin-containe" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0
- "pid=" which is a process ID, but of what?
- "comm=" which I guess is short for "command" but what is doing this command, or is it short for "communication"?
- "fsuid=" which is a user ID for the filesystem, but of what?
- "ouid=" ?
thanks in advance
nerderello