1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • question re apparmor

    From gene heskett@21:1/5 to All on Tue Sep 3 06:20:01 2024
    Just got a popup that quickly faded, checked dmesg, found this:
    [ 61.521774] audit: type=1400 audit(1725204436.106:36):
    apparmor="DENIED" operation="unlink" profile="/usr/bin/akonadiserver" name="/home/gene/.local/share/akonadi/socket-coyote-default" pid=3405 comm="akonadiserver" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
    [ 61.592585] audit: type=1400 audit(1725204436.178:37):
    apparmor="DENIED" operation="open" profile="mariadbd_akonadi" name="/sys/devices/system/node/" pid=3415 comm="mysqld"
    requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [ 61.726848] audit: type=1400 audit(1725204436.314:38):
    apparmor="DENIED" operation="open" profile="mariadbd_akonadi" name="/sys/devices/system/node/" pid=3468 comm="mysqld"
    requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [ 61.791656] audit: type=1400 audit(1725204436.378:39):
    apparmor="DENIED" operation="open" profile="mariadbd_akonadi" name="/sys/block/" pid=3468 comm="mysqld" requested_mask="r"
    denied_mask="r" fsuid=1000 ouid=0
    [ 61.808933] audit: type=1400 audit(1725204436.394:40):
    apparmor="DENIED" operation="open" profile="mariadbd_akonadi" name="/sys/devices/pci0000:00/0000:00:1c.7/0000:07:00.0/ata13/host12/target12:0:0/12:0:0:0/block/sdh/queue/physical_block_size"
    pid=3468 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
    [ 66.987054] logitech-hidpp-device 0003:046D:4094.0008: HID++ 4.5
    device connected.
    [11564.656666] perf: interrupt took too long (2542 > 2500), lowering kernel.perf_event_max_sample_rate to 78500
    [14900.611280] perf: interrupt took too long (3189 > 3177), lowering kernel.perf_event_max_sample_rate to 62500
    [29560.576007] perf: interrupt took too long (4011 > 3986), lowering kernel.perf_event_max_sample_rate to 49750
    [45232.084682] audit: type=1400 audit(1725249606.321:41):
    apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd"
    pid=35720 comm="cupsd" capability=12 capname="net_admin"
    [72817.527464] Process accounting resumed
    [112391.466084] perf: interrupt took too long (5054 > 5013), lowering kernel.perf_event_max_sample_rate to 39500
    [131632.743631] audit: type=1400 audit(1725336006.281:42):
    apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd"
    pid=147785 comm="cupsd" capability=12 capname="net_admin"

    Config error? real problem? IDK. Machine had huge security update of 115
    files + kernel yesterday morning.

    Thanks.

    Cheers, Gene Heskett, CET.
    --
    "There are four boxes to be used in defense of liberty:
    soap, ballot, jury, and ammo. Please use in that order."
    -Ed Howdershelt (Author, 1940)
    If we desire respect for the law, we must first make the law respectable.
    - Louis D. Brandeis

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew M.A. Cater@21:1/5 to gene heskett on Tue Sep 3 09:50:01 2024
    On Tue, Sep 03, 2024 at 12:15:22AM -0400, gene heskett wrote:
    Just got a popup that quickly faded, checked dmesg, found this:

    <auditd snipped>

    operation="unlink" profile="/usr/bin/akonadiserver"
    [ 66.987054] logitech-hidpp-device 0003:046D:4094.0008: HID++ 4.5 device connected.
    kernel.perf_event_max_sample_rate to 49750
    [72817.527464] Process accounting resumed
    [112391.466084] perf: interrupt took too long (5054 > 5013), lowering kernel.perf_event_max_sample_rate to 39500


    Keyboard / mouse being added - don't know what the perf error is, but
    if you're monitoring every interrupt and process, that's an overhead
    you maybe can't afford?

    Config error? real problem? IDK. Machine had huge security update of 115 files + kernel yesterday morning.


    Hi Gene,

    If this is a Debian system: you're aware there was a Debian point release
    over the weekend?

    It looks like you've got four things:

    Akonadi server and akonadi crawling the system - that's KDE or maybe LXQT?

    mariadb_akonadi

    One mention of mysqld - do you have both MariaDB and MySQL running concurrently?

    cupsd

    That's all been picked up by apparmor. If you're not sure what audit is
    giving you, maybe turn it off?

    If you do post a wall of text, please cut it down on replies otherwise
    we all get swamped.

    All best, as evef,

    Andrew Cater
    (amacater@debian.org)


    Thanks.

    Cheers, Gene Heskett, CET.
    --
    "There are four boxes to be used in defense of liberty:
    soap, ballot, jury, and ammo. Please use in that order."
    -Ed Howdershelt (Author, 1940)
    If we desire respect for the law, we must first make the law respectable.
    - Louis D. Brandeis


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From gene heskett@21:1/5 to Andrew M.A. Cater on Tue Sep 3 15:20:01 2024
    On 9/3/24 03:45, Andrew M.A. Cater wrote:
    On Tue, Sep 03, 2024 at 12:15:22AM -0400, gene heskett wrote:
    Just got a popup that quickly faded, checked dmesg, found this:

    <auditd snipped>

    operation="unlink" profile="/usr/bin/akonadiserver"
    [ 66.987054] logitech-hidpp-device 0003:046D:4094.0008: HID++ 4.5 device >> connected.
    kernel.perf_event_max_sample_rate to 49750
    [72817.527464] Process accounting resumed
    [112391.466084] perf: interrupt took too long (5054 > 5013), lowering
    kernel.perf_event_max_sample_rate to 39500


    Keyboard / mouse being added - don't know what the perf error is, but
    if you're monitoring every interrupt and process, that's an overhead
    you maybe can't afford?

    Config error? real problem? IDK. Machine had huge security update of 115
    files + kernel yesterday morning.


    Hi Gene,

    If this is a Debian system: you're aware there was a Debian point release over the weekend?

    It looks like you've got four things:

    Akonadi server and akonadi crawling the system - that's KDE or maybe LXQT?

    mariadb_akonadi

    Acc htop neither of those is running

    One mention of mysqld - do you have both MariaDB and MySQL running concurrently?
    No trace in htop


    cupsd
    cups alwways>
    That's all been picked up by apparmor. If you're not sure what audit is giving you, maybe turn it off?
    How?
    gene@coyote:~$ man audit
    No manual entry for audit


    If you do post a wall of text, please cut it down on replies otherwise
    we all get swamped.
    I wanted to post it all, been accused of snipping too much before.
    The only thing I've a bunch of running is kde5, But the gui is
    supposedly xfce4. plasmashell etc too..

    All best, as evef,

    Andrew Cater
    (amacater@debian.org)


    Thanks.

    Cheers, Gene Heskett, CET.
    --
    "There are four boxes to be used in defense of liberty:
    soap, ballot, jury, and ammo. Please use in that order."
    -Ed Howdershelt (Author, 1940)
    If we desire respect for the law, we must first make the law respectable.
    - Louis D. Brandeis


    .

    Cheers, Gene Heskett, CET.
    --
    "There are four boxes to be used in defense of liberty:
    soap, ballot, jury, and ammo. Please use in that order."
    -Ed Howdershelt (Author, 1940)
    If we desire respect for the law, we must first make the law respectable.
    - Louis D. Brandeis

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)