Your message dated Wed, 01 Mar 2023 10:13:08 +0100
with message-id <87356osul7.fsf@manticora>
and subject line Re: [pkg-apparmor] Bug#1030153: complaining
has caused the Debian Bug report #1030153,
regarding journald floods itself with apparmor warnings
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1030153: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030153
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apparmor
Version: 3.0.8-2
Severity: important
I'm not sure where to lay the blame here, but I can't really use
journalctl since the bookworm upgrade here anymore.
anarcat@marcos:~$ journalctl -n 10| tail -10
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1041@3109a3dba85e4c67820c02b55f829e1e-000000000d34f9da-0005f3830e701d7e.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1046@52cb1b4160de4973b22b9d1e879ceafe-000000000d1c3822-0005f36d67b663da.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/system@c4b260b6361649e1819ca8a888938e1d-000000000d3d0d11-0005f391218d8df8.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1041@3109a3dba85e4c67820c02b55f829e1e-000000000d1c23b4-0005f36d51aba5d8.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1004@a38efa23684347ef9b31acdaaf262dd8-000000000d2d8e5d-0005f37ebe1948bb.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1046.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1000@783a473ea10e4ba8b524e790c32932d9-000000000d379eb3-0005f389ebe36e8a.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1004@a38efa23684347ef9b31acdaaf262dd8-000000000d24946f-0005f37de770b945.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1000@783a473ea10e4ba8b524e790c32932d9-000000000d38d511-0005f38e27865a08.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open"
profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl"
name="/var/log/journal/3840589866da411b178e07aa0000001d/system@c4b260b6361649e1819ca8a888938e1d-000000000d3a15fc-0005f390ce56bd38.journal"
pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
I'm not sure it's journalctl that's at fault here, but I can't really
use it at all anymore. I am not sure either if it's journald triggering
this, or journalctl, but I regularly get this error in dmesg:
[jan31 11:53] systemd-journald[1071826]: Data hash table of
/var/log/journal/3840589866da411b178e07aa0000001d/system.journal has a fill
level at 75.0 (174765 of 233016 items, 67108864 file size, 383 bytes per hash
table item), suggesting rotation.
[ +0,023450] systemd-journald[1071826]:
/var/log/journal/3840589866da411b178e07aa0000001d/system.journal: Journal
header limits reached or header out-of-date, rotating.
Anyone else seeing this? What's up with that "profile" line anyways?
-- System Information:
Debian Release: bookworm/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor depends on:
ii debconf [debconf-2.0] 1.5.82
ii libc6 2.36-8
apparmor recommends no packages.
Versions of packages apparmor suggests:
ii apparmor-profiles-extra 1.35
ii apparmor-utils 3.0.8-2
-- debconf information:
apparmor/homedirs:
--- End Message ---
--- Begin Message ---
Hi,
I understand the bug was caused by a manually enabled old & buggy
profile, shipped by apparmor-profiles somewhere in /usr. This bug
cannot be retroactively fixed: once manually copied to /etc, this is
not even a conffile. So I'm going to close this bug as non-actionable.
This being said:
I acknowledge the way we're distributing policy has great potential
for confusion. My last (cheap) attempt to improve this was to update
the description of the apparmor-profiles package, to set clear
expectations about what users can expect from policy shipped in there,
such as the sshd one you've enthusiastically deployed a long time ago:
apparmor-profiles provides various experimental AppArmor profiles.
Do not expect these profiles to work out-of-the-box.
.
These profiles are not mature enough to be shipped in enforce mode by
default on Debian. They are shipped in complain mode so that users
can test them, choose which are desired, and help improve them
upstream if needed.
.
Some even more experimental profiles are included in
/usr/share/doc/apparmor-profiles/extras/.
My capacity and motivation for AppArmor work is not high at the moment
(see the RFH bug), but I'm happy to implement cheap incremental
improvements to this situation.
Cheers,
--
intrigeri
--- End Message ---
