| View previous topic :: View next topic |
| Author |
Message |
kukibl
Apprentice
Joined: 10 Jun 2008
Posts: 237
|
 Posted: Sun Apr 10, 2022 8:51 pm Post subject: [solved] apparmor_parser warning and error messages on boot? |
 |
|
Hi guys.
This weekend I decided to include AppArmor on my installation, however during boot I noticed following error messages (these messages I cannot find in logs):
| Code: |
error for /etc/apparmor.d in profile /etc/apparmor.d/usr.bin.redshift
Could not open 'local/usr/bin/redshirt'
apparmor_parser: Unable to add "klogd". Profile already exists
...(this is shown for each single profile)
...
|
| Code: |
# aa-status
apparmor module is loaded.
49 profiles are loaded.
49 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-dovecot-auth
dovecot-dovecot-lda
dovecot-dovecot-lda//sendmail
dovecot-imap
dovecot-imap-login
dovecot-lmtp
dovecot-log
dovecot-managesieve
dovecot-managesieve-login
dovecot-pop3
dovecot-pop3-login
dovecot-script-login
dovecot-ssl-params
dovecot-stats
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
php-fpm
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
3 processes have profiles defined.
3 processes are in enforce mode.
/usr/sbin/dnsmasq (3347) dnsmasq
/usr/sbin/dnsmasq (3348) dnsmasq
/usr/sbin/syslogd (2594) syslogd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
|
I found this relevant thread at forums: https://forums.gentoo.org/viewtopic-t-1106740-highlight-apparmorparser.html
My installation is using separate /boot and LVM with dedicated root and home partiiton. The kernel is sys-kernel/gentoo-kernel with +initramfs USE flag.
| Code: |
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 931.5G 0 disk
└─sda1 8:1 0 931.5G 0 part /mnt/storage
zram0 252:0 0 4G 0 disk [SWAP]
zram1 252:1 0 0B 0 disk
zram2 252:2 0 0B 0 disk
nvme0n1 259:0 0 232.9G 0 disk
├─nvme0n1p1 259:1 0 100M 0 part
├─nvme0n1p2 259:2 0 1G 0 part
└─nvme0n1p3 259:3 0 231.8G 0 part
├─gentoo-root 253:0 0 30G 0 lvm /
└─gentoo-home 253:1 0 201.8G 0 lvm /home
|
"emerge --info" is here: https://dpaste.com/EQRL449SN
Not sure I understand what is the issue here and how to get rid of these warnings during boot. Thank you.
Last edited by kukibl on Tue Apr 12, 2022 9:33 pm; edited 1 time in total |
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
| Posted: Sun Apr 10, 2022 10:38 pm Post subject: Re: apparmor_parser warning and error messages on boot? |
|
|
| kukibl wrote: | This weekend I decided to include AppArmor on my installation, however during boot I noticed following error messages (these messages I cannot find in logs):
| Code: | error for /etc/apparmor.d in profile /etc/apparmor.d/usr.bin.redshift
Could not open 'local/usr/bin/redshirt'
apparmor_parser: Unable to add "klogd". Profile already exists
...(this is shown for each single profile)
...
|
|
I would like to see the content of profile /etc/apparmor.d/usr.bin.redshift
Maybe its only a typo and you need /local/usr/bin/redshirt instead of local/usr/bin/redshirt = without leading /
(also: is it true redshift <=> redshirt ?) |
|
| Back to top |
|
|
kukibl
Apprentice
Joined: 10 Jun 2008
Posts: 237
|
| Posted: Mon Apr 11, 2022 4:24 pm Post subject: |
|
|
It's typo - redshift is correct. 
Content of redshift profile:
| Code: |
cat /etc/apparmor.d/usr.bin.redshift
# ------------------------------------------------------------------
#
# Copyright (C) 2015 Cameron Norman <camerontnorman@gmail.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# ------------------------------------------------------------------
#include <tunables/global>
/usr/bin/redshift {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/dbus-strict>
#include <abstractions/X>
dbus send
bus=system
path=/org/freedesktop/GeoClue2/Client/[0-9]*,
dbus receive
bus=system
path=/org/freedesktop/GeoClue2/Manager,
# Allow but log any other dbus activity
audit dbus bus=system,
owner @{HOME}/.config/redshift.conf r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.redshift>
}
|
Also, AppArmor is from stable branch (except apparmor-profiles  ):
| Code: |
eix -I apparmor
[I] sec-policy/apparmor-profiles
Available versions: (~)3.0.1^t (~)3.0.3^t **9999*l^t {minimal vanilla}
Installed versions: 3.0.3^t(01:24:40 PM 04/09/2022)(-minimal)
Homepage: https://gitlab.com/apparmor/apparmor/wikis/home
Description: A collection of profiles for the AppArmor application security system
[I] sys-apps/apparmor
Available versions: 3.0.1^t ~3.0.3^t {doc}
Installed versions: 3.0.1^t(11:07:39 PM 04/08/2022)(-doc)
Homepage: https://gitlab.com/apparmor/apparmor/wikis/home
Description: Userspace utils and init scripts for the AppArmor application security system
[I] sys-apps/apparmor-utils
Available versions: 3.0.1^t ~3.0.3^t {test PYTHON_TARGETS="python3_8 python3_9"}
Installed versions: 3.0.1^t(11:08:21 PM 04/08/2022)(PYTHON_TARGETS="python3_9 -python3_8")
Homepage: https://gitlab.com/apparmor/apparmor/wikis/home
Description: Additional userspace utils to assist with AppArmor profile management
[I] sys-libs/libapparmor
Available versions: 3.0.1^t ~3.0.3^t {doc +perl +python static-libs PYTHON_TARGETS="python3_8 python3_9 python3_10"}
Installed versions: 3.0.1^t(11:06:37 PM 04/08/2022)(perl python -doc -static-libs PYTHON_TARGETS="python3_9 -python3_8 -python3_10")
Homepage: https://gitlab.com/apparmor/apparmor/wikis/home
Description: Library to support AppArmor userspace utilities
Found 4 matches
|
|
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
| Posted: Mon Apr 11, 2022 5:20 pm Post subject: |
|
|
kukibl,
first of all I want to tell you a "problem" with apparmor-profiles: It is written for the main user of AA: Debian, SuSe and Ubuntu. Most profiles fit only for these distros ... 
Second: For all DBUS monitoring you need a special patched kernel. Vanilla kernel (and our gentoo sources also) are not able to proof DBUS communication. This doesnt matter, because it is unused then ... BUT
My recommendation would be: Use your own profiles and delete all what you dont need (I did this also and documented this here in German Documentation Section; its D.1 until D.11)
Third: With AA 3.x there are some parts deprecated, like the use of #include. Now You should use only include.
As far as I understand this profile tries to include another profile /etc/apparmor.d/local/usr.bin.redshift which doesnt exists. apparmor-profiles uses /local/... for individual settings (you should do only there) and therefore in many profiles is an include to another profile in local (because you should not change anything in etc/apparmor.d/ directly ... forget this pls and delete what you dont need and write your own profiles).
So what happens if you either delete this line, or create an (empty) /etc/apparmor.d/local/usr.bin.redshift ? |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
| Posted: Tue Apr 12, 2022 11:00 am Post subject: |
|
|
| P.S.: Most important: With AA 3.x you must have defined ABI ! |
|
| Back to top |
|
|
kukibl
Apprentice
Joined: 10 Jun 2008
Posts: 237
|
| Posted: Tue Apr 12, 2022 9:33 pm Post subject: |
|
|
First of all pietinger, thank you very much for time and effort.
| pietinger wrote: |
My recommendation would be: Use your own profiles and delete all what you dont need (I did this also and documented this here in German Documentation Section; its D.1 until D.11)
|
That was my plan. Will check your documentation. My German is non-existent (I did actually learn it in elementary school, but never used it later), but I guess Google Translate will help me out.
| Quote: | | So what happens if you either delete this line, or create an (empty) /etc/apparmor.d/local/usr.bin.redshift ? |
This (adding empty usr.bin.redshift to /etc/apparmor.d/local/) actually removed error and warning messages on the boot.
Thank you once again, will spend some time studying your documentation posts. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
| Posted: Tue Apr 12, 2022 10:20 pm Post subject: |
|
|
You are welcome, Kukibl !
May I add that you can use apparmor-profiles together with mine ... (I dont use anything from apparmor-profiles; and I have set all my base profiles in BIGLETTERS so there is no chance to overwrite other base profiles).
(I have used google tanslator and was impressed how good it is) |
|
| Back to top |
|
|
|
Networking & Security
