apparmor="DENIED" operation="open" ???

[Ovidiu]

Can anyone help me understand this log entry? What was denied, to whom and why.

[421467.144342] audit: type=1400 audit(1460139192.114:104): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/proc/12744/status" pid=12744 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=111 ouid=0

 

[wbumiller]

/usr/bin/freshclam was denied read access to /proc/12744/status, with 12744 being a process owend by another user.
The AppArmor profile allows:

owner @{PROC}/[0-9]*/status r,

Which means it's allowed to access /proc/*/status of all processes belonging to the same user under which freshclam is running. So the question is why it would access other files as well. (It might just be listing all of them while only needing its own (iow. lazily programmed), or a bug, or it actually needs it and the apparmor profile might be too strict. I don't know.)

 

[Ovidiu]

thx for explaining that will help em read further apparmor errors.
the important parts I was missing is that profile denotes the app which was blocked/audited and name denotes the "target" :-9

 

[wbumiller]

Most of the profiles are named after their executable paths. Programs which are AppArmor aware might end up switching to different profiles (or sub-profiles, eg. lxc uses 'lxc-container-default' for containers). (It can be inherited, too, which you'd see if "comm" doesn't match the profile (without the path))