Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: apparmor: how can I make a "deny network" rule work?

  1. #11
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: apparmor: how can I make a "deny network" rule work?

    Quote Originally Posted by arrange View Post
    I'm afraid we are talking about two different things...

    In your example
    Code:
    Dec 2 21:27:21 maverick kernel: [ 693.304375] type=1400 audit(1291350441.726:15): apparmor="DENIED" operation="open" parent=1820 profile="/usr/bin/evince" name="/boot/initrd.img-2.6.35-23-generic" pid=1843 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    AA denied access to /boot/initrd.img-2.6.35-23-generic because you explicitly did not allow the application to access that file in its AA profile. This is of course logged.

    But what I'm talking about is this: if I add this line to usr.bin.evince
    Code:
    deny /boot/initrd.img-2.6.35-23-generic r,
    and then attempt to open the initrd file using evince, the access will be denied AND it will not be logged. BTW the quote you gave ("deny rules - In a profile any rule with the deny prefix will cause quieting of rejects matching the rule. ") IMO confirms this.

    My original question was: can this behavior be applied to the network rule as well?
    It should work yes, and if it does not, please file a bug report, lol.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #12
    Join Date
    Apr 2009
    Beans
    8

    Re: apparmor: how can I make a "deny network" rule work?

    Yes, I'm new to ubuntu and apparmor, I have same problem now.

    I added "deny network inet6", but the aa-notify still popup the message to tell me, firefox try to "create inet6 stream".
    the deny keywork look like not work on network's rule.

    anyone know that?
    any workaround?

    thank you.

  3. #13
    Join Date
    Jul 2007
    Location
    Magic City of the Plains
    Beans
    Hidden!
    Distro
    Xubuntu 15.04 Vivid Vervet

    Re: apparmor: how can I make a "deny network" rule work?

    If a post is older than a year or so and hasn't had a new reply in that time, instead of replying to it, create a new thread. In the software world, a lot can change in a very short time, and doing things this way makes it more likely that you will find the best information. You may link to the original discussion in the new thread if you think it may be helpful.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •