[13:03] <ahasenack> there is this package, python-bonsai, which has some extensive ldap dep8 tests
[13:03] <ahasenack> the setup it does has slapd logging to /var/log/slapd.log, and it did the famous chmod 777 /var/log for it to work
[13:03] <ahasenack> of course I'm changing that, but in debian slapd is not confined via apparmor, in ubuntu it is
[13:04] <ahasenack> so I'm doing this, and was wondering if you guys had another pattern for checking if a daemon is confined, and then taking some action: https://pastebin.ubuntu.com/p/Z4g8c36ZWM/
[13:04] <ahasenack> this has to work in debian as well (I want to keep this package a sync)
[13:05] <ahasenack> that /etc/apparmor.d/local/* profile is created by dh_apparmor
[13:05] <ahasenack> if it's not there, then this is unlikely ubuntu
[13:07] <ahasenack> I have to precreate the log file because slapd runs as openldap:openldap, and can't create files in /var/log
[13:22] <georgiag> ahasenack: aa-unconfined checks /proc/pid/attr/apparmor/current as you did, and it also falls back to /proc/pid/attr/current when apparmor/current does not exist which I think it's for the case when lsm stacking is not available in the kernel but I'm not 100% sure
[13:23] <ahasenack> ah, nice
[13:23]  * ahasenack checks aa-unconfined
[13:23] <ahasenack> that's from apparmor-utils, usually not installed by default though
[13:24] <ahasenack> I could add a dep on it, just wondering if it would be too much for the debian maintainer
[13:26] <georgiag> ahasenack: aa-unconfined lists processes using tcp/udp ports that are not confined, I'm not sure if it's what you're looking for
[13:29] <ahasenack> I just want to check if slapd is confined, because if it is, then I need to amend the profile to let it write to /var/log/slapd.log
[13:29] <ahasenack> I could assume that, if I'm on ubuntu, I should amend the profile always
[13:29] <ahasenack> but then if debian eventually adopts the apparmor profile, the test would fail
[13:30] <ahasenack> aa-unconfined looks cleaner though, I'll try that approach, see what the debian maintainer thinks
=== jdstrand_ is now known as jdstrand
[18:42] <ahasenack> hm, aa-unconfined isn't that great. I would have to grep its output, and it will only list apps that have open ports
[18:49] <sarnold> ahasenack: there's a --paranoid switch which goes through all the pids in /proc
[18:49] <sarnold> ahasenack: but yes, it's not that great; it started out to help us prepare for a CTF event and never quite got the attention it deserved :)
[18:50] <sarnold> I suspect georgiag mentioned it more as something to steal from :D
[18:50] <ahasenack> I was expecting it to be given a process name, or pid perhaps, and return 0 or 1
[18:50] <ahasenack> given its name
[18:51] <sarnold> ah!
[19:02] <georgiag> yeah, that was my intention sarnold :)
[19:03] <sarnold> \o/