Jamie, can you describe how you hit this, as I'm unable to reproduce it. In the example below auditd is not running:
$ cat tmp/my.sh #!/bin/sh
cat "$@" > /dev/null
$ cat /etc/apparmor.d/home.ubuntu.tmp.my.sh # Last Modified: Mon Mar 26 10:59:48 2012 #include <tunables/global>
/home/ubuntu/tmp/my.sh { #include <abstractions/base>
/bin/cat rix, /bin/dash ix, /home/ubuntu/tmp/my.sh r, }
$ sudo aa-status | grep my.sh /home/ubuntu/tmp/my.sh /home/ubuntu/tmp/my.sh//null-f
$ tmp/my.sh /etc/fstab cat: /etc/fstab: Permission denied
$ sudo aa-logprof Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Enforce-mode changes:
Profile: /home/ubuntu/tmp/my.sh Path: /etc/fstab Mode: r Severity: 3
1 - #include <abstractions/evince> [2 - /etc/fstab]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts Adding /etc/fstab r to profile.
Profile: /home/ubuntu/tmp/my.sh Path: /etc/resolv.conf Mode: r Severity: 2
1 - #include <abstractions/nameservice> [2 - /etc/resolv.conf]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts Adding /etc/resolv.conf r to profile.
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /home/ubuntu/tmp/my.sh]
(S)ave Changes / [(V)iew Changes] / Abo(r)t
(S)ave Changes / [(V)iew Changes] / Abo(r)t Writing updated profile for /home/ubuntu/tmp/my.sh.
$ cat /etc/apparmor.d/home.ubuntu.tmp.my.sh # Last Modified: Mon Mar 26 11:04:45 2012 #include <tunables/global>
/bin/cat rix, /bin/dash ix, /etc/fstab r, /etc/resolv.conf r, /home/ubuntu/tmp/my.sh r,
}
(note that resolv.conf access rejection was from a prior run of my.sh)
Jamie, can you describe how you hit this, as I'm unable to reproduce it. In the example below auditd is not running:
$ cat tmp/my.sh
#!/bin/sh
cat "$@" > /dev/null
$ cat /etc/apparmor. d/home. ubuntu. tmp.my. sh
# Last Modified: Mon Mar 26 10:59:48 2012
#include <tunables/global>
/home/ubuntu/ tmp/my. sh {
#include <abstractions/base>
/bin/cat rix, ubuntu/ tmp/my. sh r,
/bin/dash ix,
/home/
}
$ sudo aa-status | grep my.sh ubuntu/ tmp/my. sh ubuntu/ tmp/my. sh//null- f
/home/
/home/
$ tmp/my.sh /etc/fstab
cat: /etc/fstab: Permission denied
$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:
Profile: /home/ubuntu/ tmp/my. sh
Path: /etc/fstab
Mode: r
Severity: 3
1 - #include <abstractions/ evince>
[2 - /etc/fstab]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/fstab r to profile.
Profile: /home/ubuntu/ tmp/my. sh
Path: /etc/resolv.conf
Mode: r
Severity: 2
1 - #include <abstractions/ nameservice>
[2 - /etc/resolv.conf]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Profile: /home/ubuntu/ tmp/my. sh
Path: /etc/resolv.conf
Mode: r
Severity: 2
1 - #include <abstractions/ nameservice>
[2 - /etc/resolv.conf]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/resolv.conf r to profile.
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /home/ubuntu/ tmp/my. sh]
(S)ave Changes / [(V)iew Changes] / Abo(r)t
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /home/ubuntu/ tmp/my. sh]
(S)ave Changes / [(V)iew Changes] / Abo(r)t tmp/my. sh.
Writing updated profile for /home/ubuntu/
$ cat /etc/apparmor. d/home. ubuntu. tmp.my. sh
# Last Modified: Mon Mar 26 11:04:45 2012
#include <tunables/global>
/home/ubuntu/ tmp/my. sh {
#include <abstractions/base>
/bin/cat rix, ubuntu/ tmp/my. sh r,
/bin/dash ix,
/etc/fstab r,
/etc/resolv.conf r,
/home/
}
(note that resolv.conf access rejection was from a prior run of my.sh)