profiles requires CAP_MAC_ADMIN

Jamie Strandboge Wed, 23 Mar 2016 07:30:17 -0700

** Changed in: linux (Ubuntu)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1560583


Title:
  reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN

Status in linux package in Ubuntu:
  In Progress

Bug description:
  $ cat ./t
  #include <tunables/global>

  profile t {
     #include <abstractions/base>
     /bin/cat ixr,
     /sys/kernel/security/apparmor/profiles r,
  }

  $ sudo apparmor_parser -r ./t
  $ sudo aa-exec -p t -- cat /sys/kernel/security/apparmor/profiles 
  cat: /sys/kernel/security/apparmor/profiles: Permission denied
  [1]

  kernel: [   62.203035] audit: type=1400 audit(1458665428.726:128):
  apparmor="DENIED" operation="capable" profile="t" pid=3683 comm="cat"
  capability=33  capname="mac_admin"

  This is new in the -15 kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1560583/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1560583] Re: reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN

Reply via email to