Bugzilla – Bug 130049
want a flag to mark known rejections
Last modified: 2008-04-10 09:47:31 UTC
Marcus Rueckert has another case where a flag to mark a rejection that shouldn't be logged would be nice to have: Oct 21 20:00:02 ftp kernel: SubDomain: REJECTING r access to /etc/shadow (drpmsync(791) profile /usr/bin/drpmsync active /usr/bin/drpmsync) This is in addition to the /etc/kerberos.conf or whatever the file is. He proposes 'dr' syntax, for "discard read": /etc/shadow dr, --> discard read rejections, but log unlink, exec, write /etc/shadow drdw, --> discard read and write rejections, log unlink and exec /etc/shadow rdw, --> allow read, discard write rejections, log unlink and exec etc The alphabet soup we're getting is pretty thick already, but this is one of the cleaner suggestions I've seen.
Perhaps this should be tracked in FATE instead?
The ability to control auditing and quieting of events in apparmor has been prototyped and is likely to show up in SL10.4/SLES 11. The prototype currently works as follows. The deny rules and the audit keyword have been added. Deny rules allow profiles to store what has been explicitly denied so they will not be asked for again during profiling. They also by default quiet the rejection messages. The audit keyword forces an audit or reject message to be logged when a given rule is matched. So for the above example ! /etc/shadow r, # don't allow reads and don't log read rejects to /etc/shadow ! /etc/shadow rw, # same as above except for read and write to force a denial to be logged the deny rule can be removed (but then the tools will prompt for it in profile learning), or the audit tag can be added. audit ! /etc/shadow rw, # audit rw rejects to /etc/shadow but tools won't prompt The audit keyword can be used to force positive rules to allows log a match audit /etc/shadow w, # allows log when /etc/shadow is updated.
This feature is in 11.0