we have implemented some rbac features using pam_apparmor. This works great with SLES 11SP1 (apparmor 2.3) but fails with SLES 11SP2 (apparmor 2.5.1).
Looking at /var/log/audit/audit.log, I get the following messages:
type=AVC msg=audit(1337709758.374:328): apparmor=“KILLED” operation=“change_hat” parent=6121 profile="/usr/sbin/sshd//root" pid=6719 comm=“sshd” target="/usr/sbin/sshd//root"
type=AVC msg=audit(1337709781.458:329): apparmor=“DENIED” operation=“change_hat” info=“unconfined” error=-1 pid=6722 comm=“cron”
type=AVC msg=audit(1337709781.458:330): apparmor=“DENIED” operation=“change_hat” info=“unconfined” error=-1 pid=6722 comm=“cron”
Some googling tells me the apparmor=“DENIED” messages are superfluous messages that can be ignored.
On the other hand, the apparmor=“KILLED” message has absolutely no match in google (even if I limit the search to that term alone). I noticed an updated kernel (3.0.26-0.7-default), which I installed, but it did not help.
I am about to look at the kernel code itself to get a better idea of what is going on, but I would appreciate if anyone has an idea about it!