Bug 130049

Summary: want a flag to mark known rejections
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Seth R Arnold <seth.arnold>
Component: AppArmorAssignee: John R Johansen <jjohansen>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P5 - None CC: mrueckert
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Seth R Arnold 2005-10-21 18:07:17 UTC 
Marcus Rueckert has another case where a flag to mark a rejection that shouldn't
be logged would be nice to have:
Oct 21 20:00:02 ftp kernel: SubDomain: REJECTING r access to /etc/shadow
(drpmsync(791) profile /usr/bin/drpmsync active /usr/bin/drpmsync)
This is in addition to the /etc/kerberos.conf or whatever the file is.

He proposes 'dr' syntax, for "discard read":
/etc/shadow dr, --> discard read rejections, but log unlink, exec, write
/etc/shadow drdw, --> discard read and write rejections, log unlink and exec
/etc/shadow rdw, --> allow read, discard write rejections, log unlink and exec
etc

The alphabet soup we're getting is pretty thick already, but this is one of the
cleaner suggestions I've seen.
Comment 3 Seth R Arnold 2006-02-07 23:17:17 UTC 
Perhaps this should be tracked in FATE instead?
Comment 6 John R Johansen 2007-11-16 02:14:28 UTC 
The ability to control auditing and quieting of events in apparmor has been prototyped and is likely to show up in SL10.4/SLES 11.

The prototype currently works as follows.  The deny rules and the audit keyword have been added.  Deny rules allow profiles to store what has been explicitly denied so they will not be asked for again during profiling.  They also by default quiet the rejection messages.  The audit keyword forces an audit or reject message to be logged when a given rule is matched.

So for the above example

! /etc/shadow r,   # don't allow reads and don't log read rejects to /etc/shadow
! /etc/shadow rw,  # same as above except for read and write

to force a denial to be logged the deny rule can be removed (but then the
tools will prompt for it in profile learning), or the audit tag can be added.

audit ! /etc/shadow rw,  # audit rw rejects to /etc/shadow but tools won't prompt


The audit keyword can be used to force positive rules to allows log a match

audit /etc/shadow w,   # allows log when /etc/shadow is updated.
Comment 7 John R Johansen 2008-04-10 09:47:31 UTC 
This feature is in 11.0