deny keywork not work on network rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Quantal |
Invalid
|
Undecided
|
Unassigned | ||
Raring |
Invalid
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
John Johansen | ||
Lucid |
Fix Released
|
Undecided
|
John Johansen | ||
Precise |
Fix Released
|
Undecided
|
John Johansen | ||
Quantal |
Fix Released
|
Undecided
|
John Johansen | ||
Raring |
Fix Released
|
Undecided
|
John Johansen |
Bug Description
I added "deny network inet6" rule to firefox,
but when I launch firefox, aa-notify still popup the log message to tell me
firefox try to create inet6 stream
my system is xubuntu 12.10/i386, dpkg -l |grep apparmor
ii apparmor 2.8.0-0ubuntu5 i386 User-space parser utility for AppArmor
ii apparmor-docs 2.8.0-0ubuntu5 all Documentation for AppArmor
ii apparmor-notify 2.8.0-0ubuntu5 all AppArmor notification system
ii apparmor-profiles 2.8.0-0ubuntu5 all Profiles for AppArmor Security policies
ii apparmor-utils 2.8.0-0ubuntu5 i386 Utilities for controlling AppArmor
ii libapparmor-perl 2.8.0-0ubuntu5 i386 AppArmor library Perl bindings
ii libapparmor1 2.8.0-0ubuntu5 i386 changehat AppArmor library
for refer: http://
thank you.
Changed in linux (Ubuntu Raring): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Quantal): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Precise): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed-lucid |
tags: | added: verification-needed-precise |
tags: | added: verification-needed-quantal |
Indeed there is an auditing bug with network rules which prevents them from being quieted (the denial does actually happen). This has been fixed upstream, but needs to be backported for Ubuntu kernels.