Running Ubuntu Linux 9.04, and I see these odd log lines in dmesg:
[ 18.673752] type=1505 audit(1240159967.221:2): operation="profile_load" name="/usr/share/gdm/guest-session/Xsession" name2="default" pid=2197 [ 18.730952] type=1505 audit(1240159967.278:3): operation="profile_load" name="/sbin/dhclient-script" name2="default" pid=2201 [ 18.731093] type=1505 audit(1240159967.278:4): operation="profile_load" name="/sbin/dhclient3" name2="default" pid=2201 [ 18.731141] type=1505 audit(1240159967.278:5): operation="profile_load" name="/usr/lib/NetworkManager/nm-dhcp-client.action" name2="default" pid=2201 [ 18.731182] type=1505 audit(1240159967.278:6): operation="profile_load" name="/usr/lib/connman/scripts/dhclient-script" name2="default" pid=2201 [ 18.871720] type=1505 audit(1240159967.417:7): operation="profile_load" name="/usr/lib/cups/backend/cups-pdf" name2="default" pid=2206 [ 18.871913] type=1505 audit(1240159967.417:8): operation="profile_load" name="/usr/sbin/cupsd" name2="default" pid=2206 [ 18.909533] type=1505 audit(1240159967.458:9): operation="profile_load" name="/usr/sbin/tcpdump" name2="default" pid=2210
What generates them, and should I be worried?
Best Answer
It's AppArmor loading it's profiles as applications start up.
For those that don't know, apparmor is similar to selinux in that it monitors and restricts based on a set of profiles, usually configured in
/etc/apparmor.d.The log entries you are seeing are good log entries and are showing that AppArmor is loading up and doing it's thing. Generally you can ignore them but it's always a good idea to remember AppArmor exists as it can bite you.
e.g. I reconfigured MySQL on a Ubuntu system to use
/home/mysqlfor its data files and it wouldn't start, because AppArmor was blocking access to it. The MySQL logs just said "Permission Denied", whereas syslog told me that AppArmor was stopping it.