Is there a way to override a hat/child profile in an apparmor local override file?

The apparmor profile distributed with 16.04 for ejabberd is resulting in the audit entries being written to the system log similar to the following when the ejabberdctl script is executed.

Dec 28 13:44:09 xxx kernel: [846824.223510] audit: type=1400 audit(1482954249.017:51607): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/ejabberdctl//su" name="/bin/su" pid=26155 comm="su" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

If I modify the su hat inside the apparmor profile in /etc/apparmor.d/usr.sbin.ejabberdctl from:

/bin/su r,

to:

/bin/su rm,

then reload the profile the script no longer segfaults and runs as expected. Instead of having to modify the distributed profile I'd like to know if this change can be made to /etc/apparmor.d/local/usr.sbin.ejabberdctl. When I tried this before making the change to the distributed profile I get this error.

# apparmor_parser -r /etc/apparmor.d/usr.sbin.ejabberdctl
Multiple definitions for hat su in profile (null) exist,bailing out.

0 Sorted by: Reset to default

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy