Ubuntu
apparmor package

I have 33 denied messages in Apparmor message.

Asked by Bernard Stafford

Upon startup I have 33 denied messages on Apparmor. How do I delete the messages from apparmor.
What & how to do this: Promts this web page: https://wiki.ubuntu.com/DebuggingApparmor
??? Looks to be a bug report.

I figured out how to delete the messages. It is posting them on the left column of the calendar
on the desktop. I pressed the clear all icon. Open firefox it still writes a message there.
Could it still be stuck in complain mode and be in enforce mode at the same time?

It once was in complain mode. Now is in enforce mode.
This is the text from displayed errors in /usr/sbin/rsyslogd file.
20.04 Ubuntu LTS This after configuring apparmor to enforce mode in Question # 701372
Same OS and configurations.
How do I get rid of denied messages in Apparmor?
or Just silence the messages?
Each restart the denied messages increase.

b3@b3-VirtualBox:~$ sudo dmesg | grep apparmor
[sudo] password for b3:
[ 0.898944] evm: security.apparmor
[ 21.301405] audit: type=1400 audit(1650284888.104:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslog-ng" pid=586 comm="apparmor_parser"
[ 21.463636] audit: type=1400 audit(1650284888.268:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/totem-audio-preview" pid=590 comm="apparmor_parser"
[ 21.463644] audit: type=1400 audit(1650284888.268:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/totem-video-thumbnailer" pid=590 comm="apparmor_parser"
[ 21.503417] audit: type=1400 audit(1650284888.308:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/snapd/snap-confine" pid=591 comm="apparmor_parser"
[ 21.503426] audit: type=1400 audit(1650284888.308:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=591 comm="apparmor_parser"
[ 21.554257] audit: type=1400 audit(1650284888.356:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="mdnsd" pid=592 comm="apparmor_parser"
[ 21.599078] audit: type=1400 audit(1650284888.400:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=593 comm="apparmor_parser"
[ 21.599087] audit: type=1400 audit(1650284888.400:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=593 comm="apparmor_parser"
[ 21.647481] audit: type=1400 audit(1650284888.452:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/tcpdump" pid=594 comm="apparmor_parser"
[ 21.785478] audit: type=1400 audit(1650284888.588:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-oopslash" pid=595 comm="apparmor_parser"
[ 30.082902] audit: type=1400 audit(1650284896.884:73): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=755 comm="cups-browsed" capability=23 capname="sys_nice"
[ 80.174219] audit: type=1400 audit(1650284948.349:74): apparmor="DENIED" operation="capable" profile="/snap/snapd/15177/usr/lib/snapd/snap-confine" pid=1445 comm="snap-confine" capability=4 capname="fsetid"
[ 89.708434] audit: type=1107 audit(1650284957.888:76): pid=648 uid=103 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.8" pid=1445 label="snap.snap-store.ubuntu-software" peer_pid=670 peer_label="unconfined"
[ 89.709449] audit: type=1107 audit(1650284957.888:77): pid=648 uid=103 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" mask="send" name=":1.8" pid=1445 label="snap.snap-store.ubuntu-software" peer_pid=670 peer_label="unconfined"
[ 89.873361] audit: type=1107 audit(1650284958.052:78): pid=648 uid=103 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.8" pid=1445 label="snap.snap-store.ubuntu-software" peer_pid=670 peer_label="unconfined"
[ 89.874139] audit: type=1107 audit(1650284958.052:79): pid=648 uid=103 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" mask="send" name=":1.8" pid=1445 label="snap.snap-store.ubuntu-software" peer_pid=670 peer_label="unconfined"
[ 90.885596] audit: type=1400 audit(1650284959.064:80): apparmor="DENIED" operation="open" profile="snap.snap-store.ubuntu-software" name="/etc/PackageKit/Vendor.conf" pid=1445 comm="snap-store" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 125.090593] audit: type=1400 audit(1650284993.267:81): apparmor="DENIED" operation="open" profile="snap.snap-store.ubuntu-software" name="/var/lib/snapd/hostfs/usr/share/gdm/greeter/applications/gnome-initial-setup.desktop" pid=1445 comm="pool-org.gnome." requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 125.221565] audit: type=1400 audit(1650284993.399:82): apparmor="DENIED" operation="open" profile="snap.snap-store.ubuntu-software" name="/var/lib/snapd/hostfs/usr/share/gdm/greeter/applications/gnome-initial-setup.desktop" pid=1445 comm="pool-org.gnome." requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu apparmor Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#1

I do not understand your question.

Your question title:
"I have 33 denied messages in Apparmor message."
Can you please copy/paste these 33 apparmor questions (and nothing else)?
As described in https://wiki.ubuntu.com/DebuggingApparmor
All apparmor messages contain the word "audit"

There is only one single message related to apparmor:
Apr 17 07:42:40 b3-VirtualBox kernel: [ 30.244898] audit: type=1400 audit(1650199360.024:67): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=793 comm="cups-browsed" capability=23 capname="sys_nice"

Bug #1897369 is already dealing with that message.

All other messages in your question are not coming from apparmor, but from a different source.

What do you mean by
"Earlier this was the messages:
/usr/sbin/rsyslogd
...
"
/usr/sbin/rsyslogd is a program and what you have copy/pasted are the texts inside the binary file.

Revision history for this message
Bernard Stafford (bernard010) said (last edit ): 		#2

I changed the question for the correct output.

How do I silence the messages from Apparmor?

It is not in complain mode.
The the messages appear after the startup do the desktop.
Ubuntu 20.04
I included my output with the bug report you furnished.

Revision history for this message
Manfred Hampl (m-hampl) said (last edit ): 		#3

Ok, you have changed the contents of your question, so my comment #1 is no longer fully valid.

AppArmor's task is blocking certain access attempts (when in enforce mode), and whenever there is such a request that does not match the allowed settings, it writes a log message. Why do you want to silence these messages?

What exactly is the problem?
- that apparmor writes messages to the log
or
- that there are access attempts by certain programs that apparmor denies because they do not match the profile of allowed actions?

If you allow everything or disable apparmor, then apparmor will not write any message any more. Is that what you want?

Revision history for this message
Bernard Stafford (bernard010) said : 		#4

The messages are appearing on the desktop and writing them to the log.
I opened settings, went to Notifications and changed the 'do not disturb' slide switch on.
Now the messages quit appearing on the desktop.
Do I need to make more profiles for apparmor ?

Revision history for this message
Bernard Stafford (bernard010) said : 		#5

Thanks Manfred Hampl, that solved my question.

Revision history for this message
Bernard Stafford (bernard010) said : 		#6

I changed from enforce mode to complain mode. Made a new profile for Firefox.
Went back to enforce mode. used: 'sudo aa-logprof' review the Firefox profiles
that was misbehaving. Thank You for all of your valuable assistance.