Hi Team,
Looking for your help.
I have gone through the following link where the similar issue was asked.
https://lists.debian.org/debian-user/2018/07/msg00542.html
Issue: I made a profile for the application, and it is not getting confined by the apparmor.
What I did:
1) I wrote the following profile
root@abc:~# cat /etc/apparmor.d/usr.bin.phosphor-network-snmpconf
# Last Modified: Thu Jul 29 14:30:33 2021
#include <tunables/global>
/usr/bin/phosphor-network-snmpconf flags=(complain) {
#include <abstractions/base>
/lib/x86_64-linux-gnu/ld-*.so mr,
/usr/bin/phosphor-network-snmpconf mr,
}
2) Reload the apparmor profiles
/etc/init.d/apparmor reload
3)
I ran the binary under complain mode through the following command.
aa-complain /usr/bin/phosphor-network-snmpconf
Setting /usr/bin/phosphor-network-snmpconf to complain mode.
[ 875.716595] kauditd_printk_skb: 40 callbacks suppressed
[ 875.716649] audit: type=1400 audit(1627637368.796:113): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="" name="/usr/bin/phosphor-network-snmpconf" pid=815 comm="apparmor_parser"
4)
Restart the snmp service which internally calls the phosphor-network-snmpconf
systemctl restart xyz.openbmc_project.Network.SNMP.service
4) How the above service file looks like
5) Output of aa-status as follows:
============================
root@abc:~# aa-status
apparmor module is loaded.
48 profiles are loaded.
47 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-dovecot-auth
dovecot-dovecot-lda
dovecot-dovecot-lda//sendmail
dovecot-imap
dovecot-imap-login
dovecot-lmtp
dovecot-log
dovecot-managesieve
dovecot-managesieve-login
dovecot-pop3
dovecot-pop3-login
dovecot-script-login
dovecot-ssl-params
dovecot-stats
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
php-fpm
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
1 profiles are in complain mode.
/usr/bin/phosphor-network-snmpconf
0 profiles are in kill mode.
0 profiles are in unconfined mode.
1 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/usr/bin/phosphor-network-snmpconf (825)
0 processes are in mixed mode.
0 processes are in kill mode.
7) Source code of snmp service : https://github.com/openbmc/phosphor-snmp
Expectation was that when I run the SNMP service , it should throw the DENIAL messages but I am not getting any DENIAL messages as the process is unconfined.
Can you please let me know where I am making the mistake.
Ratan