8
 1 Time(s): audit: type=1400 audit(1473854574.089:113): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=31430 comm="apparmor_parser"

 1 Time(s): audit: type=1400 audit(1473854574.089:114): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=31430 comm="apparmor_parser"

 1 Time(s): audit: type=1400 audit(1473854574.089:115): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=31430 comm="apparmor_parser"

Should I be worried?

I'm running Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-36-generic x86_64)

waltinator
  • 36,399
boozedog
  • 103

2 Answers2

8

First, it means that you should read man -k apparmor, and the man pages.

Second, the apparmor="STATUS" shows that this is a Status report, reporting on a "profile_replace" operation, replacing the current apparmor profile with the profile="unconfined" profile, on behalf of name="/usr/lib/cups/backend/cups-pdf" pid=31430, name="/usr/sbin/cupsd" pid=31430 and name="/usr/sbin/cupsd" pid=31430, using the apparmor_parser (see man apparmor_parser) command.

In English, the is CUPS - Common Unix Printing System telling AppArmor it wants to execute in the old, "unconfined", "AppArmor don't bother me", mode used by programs that have not adapted to life with AppArmor, yet.

For more information about AppArmor, see What Is AppArmor?" https://askubuntu.com/questions/236381/what-is-apparmor?rq=1

You do not need to be worried, but a certain level of concern is always appropriate.

Community
  • 1
waltinator
  • 36,399
  • Thanks for your response. Sounds like the version of CUPS that ships with 14.04.5 is not AppArmor friendly. I don't do any printing on this machine so I'll just uninstall it. – boozedog Sep 16 '16 at 00:10
0

I would beg to differ with waltinator's answer. If a process could say to apparmor "leave me alone" there would not be much point to apparmor would there?

I have read the manual pages and welcome a citation that applies.

Any time I type "sudo service mysql restart" I see a similar message in syslog... time kernel: audit: type=1400 apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/mysqld" pid=5014 comm="apparmor_parser"

If I then type "sudo aa-status" I see that mysql is in the list "nn processes are in enforce mode" 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.

So I think this rather confusing message is just apparmor saying... I just found a process matching profile="unconfined" and I am going to perform operation="profile_replace".

These messages also appear when the pc is rebooted, presumably for the same reason, apparmor loads first, then as other processes load it confines them.

Also please note if you restart apparmor then all confined processes currently running will be unconfined. Use "sudo service apparmor reload" or reboot after making any apparmor configuration changes.

Matt
  • 139
  • The profile="unconfined" part simply means the apparmor_parser process wasn't itself confined. – sarnold Aug 20 '20 at 20:03
  • Consider how one would distribute a new security tool that will kill a process if it breaks the Rules, but lets/requires developers (for each package) to provide the Rules. The "unconfined" profile lets developers who haven't provided Rules, or gotten their package to "work" with apparmor, get along for now. In the fullness of time, "unconfined" will go away, apparmor will Rule the World. And nothing will work. – waltinator Nov 01 '21 at 19:46