aa-notify doesn't work because of fs permission issue

CaffeineAddict

Well-Known Member
Joined
Jan 21, 2024
Messages
1,428
Reaction score
981
Credits
11,701
I installed aa-notify program which provides desktop notification for apparmor violations, it was installed as part of apparmor-notify package:
The apparmor-notify package provides desktop notifications (through aa-notify) when a policy violation occurs. The program should start automatically when you login.

The aa-notify starts fine on login however it does not give any desktop notifications, I checked the /var/log/syslog to see why and here is why:
C-like:
aa-notify[1802]: ERROR: Cannot read /var/log/kern.log. Please check permissions.

Obviously it doesn't have permissions to read kern.log, the permissions are as follows:
Bash:
ls -l /var/log/kern.log
-rw-r----- 1 root adm 920712 kol 21 19:58 /var/log/kern.log

The question is what permissions should I give it and how?
One option is to change kern.log permissions but this is potential security trouble, I'd prefer to figure out to which group does
aa-notify belong and under which username does it run, then it should be easier to change permissions.

Maybe there is a way to run aa-notify under adm group?
What suggestions do you have to fix this?
 


OK, the answer is right in that link I shared, it says this:

  • If auditd is not installed, your user should be a member of the adm Group
  • If auditd is installed, /etc/xdg/autostart/apparmor-notify.desktop should be modified as Exec=sudo aa-notify -p -f /var/log/audit/audit.log

First option to add myself to adm group seems to produce a different kind or error and outputs debug file to report a bug.
But the second option to install auditd works fine and no errors are reported in logs.

My desktop entry in /etc/xdg/autostart/aa-notify.desktop now looks like this:

INI:
[Desktop Entry]
Type=Application
Name=AppArmor Notify
Comment=Receive on screen notifications of AppArmor denials
TryExec=/usr/bin/aa-notify
Exec=sudo /usr/bin/aa-notify -p -s 1 -w 60 -f /var/log/audit/audit.log
StartupNotify=false
NoDisplay=true
X-Ubuntu-Gettext-Domain=aa-notify

Problem I have now is that the -s 1 option to aa-notify under Exec line says to show a summary for last 1 day, but it doesn't show any.

I suppose no notifications are shown due to no violations but why doesn't show the summary upon login?
 
This is what aa-notify.desktop like like on my system.
Code:
[Desktop Entry]
Type=Application
Name=AppArmor Notify
Comment=Receive on screen notifications of AppArmor denials
TryExec=/usr/bin/aa-notify
Exec=/usr/bin/aa-notify -p -s 1 -w 60
StartupNotify=false
NoDisplay=true
X-Ubuntu-Gettext-Domain=aa-notify

It runs with no problems. My user is in adm.
Code:
craig adm dialout cdrom sudo audio video plugdev games users input render netdev lpadmin sbuild gpio i2c spi

auditd.conf
Code:
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 200
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 2000
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2

One of the things I did was edit /etc/apparmor/parser.conf and uncomment:
Code:
## Turn creating/updating of the cache on by default
write-cache

## Adjust compression
#Optimize=compress-small
Optimize=compress-fast

## Pin feature set (avoid regressions when policy is lagging behind
## the kernel)
policy-features=/usr/share/apparmor-features/features

I followed the Ubuntu wiki/docs to originally set it up a few years ago.
AppArmor Wiki
AppArmor - Community Help Wiki
AppArmor Documentation
 
@craigevil
Thank you for sharing your config, I'll compare it to mine tomorrow.

Do you receive summary every day upon login regardless if there are violations or not?
Or do notifications get shown only if there is violation.

I assume -s 1 option should show summary regardless if there are apparmor violations?
 

Staff online


Top