AppArmor: how to fix the Create New User issue with logprof

We have started to use AppArmor as a way to strengthen the security on our platform. A reasonably good tool for which you can find rather straightforward tutorials.

Portrait of a young woman dressed as Boadecia or Mother England
Portrait of a young woman dressed as Boadecia or Mother England by Powerhouse Museum

AppArmor is a tool that can explicitly allow or deny actions by some applications. Those actions are recorded in a profile. Many profiles are already available, for such tools as Firefox, but sometimes it is necessary to create your own. This was the case for us: we wanted to make sure using Mono was not too much of a risky endeavor (we run investment strategies written by our users in .NET).

Creating a profile for AppArmor can be done is a couple of ways. One is to run the application you want to lock down in record (“complain”) mode, check the logs produced by AppArmor and select the corresponding rules you want to enforce. The tool that checks the logs and produces the profile containing the rules is logprof, generally run with the aa-logprof command.

Last morning, when I merrily tried to run logprof, it prompted me at the end of the process to create a user.

Create New User?
(Y)es / [(N)o]

I didn’t know what “Creating a user” meant here. And, at this point, there is nothing useful to do. Whether you reply Yes or No, you are always prompted for a username and password, then asked whether you want to save the configuration, which inevitably ends with a Login failure, and you are back to the Create a User question (Ctrl-C to get out). Here is the whole trace:

Updating AppArmor profiles in /etc/apparmor.d.
Create New User?

(Y)es / [(N)o]
Username: noideawhatmyusernameis
Password: noideawhatthepasswordis

Save Configuration?

[(Y)es] / (N)o

Login failure
Please check username and password and try again.
RPC::XML::Client::send_request: HTTP server error: Not Found

Create New User?

It took me a while to understand what was going on, so I’m writing this post in the hope that it will help someone (possibly me, in the not-so-distant future).

The user here┬árefers in fact to a user on the central, public repository for AppArmor profiles. You do not normally need a login for downloading profiles, but logins are required to upload them. Now, I obviously do not want to upload my profiles, so what’s the deal?
In all likelihood, I must have enabled the upload of profiles at some point, possibly when I was trying to figure out what AppArmor was doing. There is a way to undo that, but very little documentation and few discussions about it on the internet.
I finally found it on Novell’s site.

In the end, here is what you need to do:

  1. move to /etc/apparmor (and not /etc/apparmor.d, which is the directory where the profiles are saved)
  2. edit repository.conf
  3. in the [repository] section, replace upload = yes with upload = no

All done!

Footnote: the status of AppArmor is not clear to me. Wikipedia indicated that Novell has fired the original team that developed it and indeed Novell’s site only points to AppArmor v2.1 and earlier. A Google search returns many links to Ubuntu and indeed Karmic Koala comes with v2.3.1 (the latest, AFAIK), but Ubuntu pages do not offer very advanced documentation. Novell does have the best documentation but is strangely not well referenced on Google and the documentation only goes until v2.1, which is not impressive. The official development site is hosted by Novell, but it only mentions v2.3beta and has not seen any release seen mid-2008. Finally, a similar tool, Tomoyo, has been merged into the Linux kernel v2.6.30 since mid-2009. So I think that, once we will have move all our servers to Karmic, we’ll dump AppArmor.

About Eric Lefevre-Ardant

Independent technical consultant.
This entry was posted in unix. Bookmark the permalink.

6 Responses to AppArmor: how to fix the Create New User issue with logprof

  1. Andreas says:

    Hi there,

    I just want to mention that your article here helped me too. :-) I found it via search engine.

    May be the upload option should be set to “No” by default. I would imagine there are more people than you and me puzzled about this.

  2. Rob says:

    Thanks this helped, now I’ve been able to configure Apparmor, and not having 25MB of logfiles per day. Very useful thanks again.

  3. Pingback: Bound and Armed « Project ESXi's Blog

  4. J.C. Denton says:

    Thanks for the article. It helped me a lot! ;-)

  5. Deon says:

    Thanks! You’re right, there’s so very little mention or documentation about this on the net. I think upload is enabled by default on Ubuntu machines, which makes logprof near impossible to use on Ubuntu (10.04) machines unless you turn this upload ‘feature’ off.

  6. Stef says:

    Hi,

    I just want to say, that your article helped me too, I always asked me, which username and password AppArmor wanted from me :D, so I found your page thought Google.

Leave a Reply

Your email address will not be published.