To log the internet usage (visited URLs) of my local guest account, I asked the question Monitor visited websites of guest account through any browser and after assigning the guest account the fixed UID 499 and setting up the iptables rule below, I am not getting the wanted log messages in /var/log/kern.log but a message by apparmor that it blocked the logging attempt.
How do I tell AppArmor to allow the guest account (random name, but fixed UID) to log its network usage through iptables?
The iptables rule I have set up:
sudo iptables -A OUTPUT -m owner --uid-owner 499 -j LOG --log-prefix='[GUEST INTERNET ACCESS] '
One example line of the messages that appear in /var/log/kern.log instead (reformatted for better readability):
Nov 18 11:19:22 wolf-pack kernel:
[ 1030.063374] audit: type=1400 audit(1447841962.731:164):
apparmor="DENIED"
operation="connect"
profile="/usr/lib/lightdm/lightdm-guest-session"
name="/run/systemd/journal/stdout"
pid=4693
comm="dbus-daemon"
requested_mask="w"
denied_mask="w"
fsuid=499
ouid=0
Further system information:
$ uname -a
Linux wolf-pack 4.2.0-18-generic #22-Ubuntu SMP Fri Nov 6 18:25:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 15.10
Release: 15.10
Codename: wily
$ unity --version
unity 7.3.2
$ apt-cache policy apparmor | grep Installed
Installed: 2.10-0ubuntu6
$ iptables --version
iptables v1.4.21
The output of sudo apparmor_status:
apparmor module is loaded.
23 profiles are loaded.
23 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//sanitized_helper
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/lib/telepathy/telepathy-*//pxgsettings
/usr/lib/telepathy/telepathy-*//sanitized_helper
/usr/lib/telepathy/telepathy-ofono
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/ippusbxd
/usr/sbin/tcpdump
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode.
/sbin/dhclient (1138)
/usr/lib/telepathy/mission-control-5 (4700)
/usr/sbin/cups-browsed (777)
/usr/sbin/cupsd (5626)
/usr/sbin/cupsd (5651)
/usr/sbin/cupsd (5652)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Best Answer
I think your intention is clear here and in the other question you linked to: log URLs of websites visited by anyone using any application as the guest user.
Suggesting iptables logging to achieve this task isn't correct. iptables (without some obscure, performance-limiting extensions) works on the IP protocol, not on the application level.
I've also seen suggestions in the URLs suggested as comments - responders suggested only capturing packets with SYN flags (new connections). That too, results from a misunderstanding described above.
The way to achieve what you want is:
What I had in mind is described here (not my post). This way you get a web proxy log which has all the HTTP requests logged. You won't get logs related to SSL protected traffic though, which is a good thing.
To reiterate: URLs are not part of the IP or TCP header structure, thus something working on the IP/TCP level isn't going to be able to show you this data, unless it has some TCP dissector (tcpdump/wireshark are able to do this but not iptables alone).