Control: severity -1 minor Control: tag -1 + upstream Hi,
Elliott Mitchell (2020-06-14): > [######.######] audit: type=1400 audit(####################): > apparmor="ALLOWED" operation="open" profile="syslog-ng" > name="/proc/<misc-pid>/cmdline" pid=<syslog-ng-pid> comm="syslog-ng" > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > [######.######] audit: type=1400 audit(####################): > apparmor="ALLOWED" operation="open" profile="syslog-ng" > name="/proc/<misc-pid>/loginuid" pid=<syslog-ng-pid> comm="syslog-ng" > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > [######.######] audit: type=1400 audit(####################): > apparmor="ALLOWED" operation="open" profile="syslog-ng" > name="/proc/<misc-pid>/sessionid" pid=<syslog-ng-pid> comm="syslog-ng" > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > I'm cautiously optimistic this is due to the AppArmor profile for > syslog-ng being incomplete and not someone having broken into this > machine and done something to syslog-ng. It looks like it, indeed. Please report upstream any problem with an AppArmor profile that is included in the apparmor-profiles package: https://gitlab.com/apparmor/apparmor/-/issues The apparmor-profiles package exists solely to provide a way for users to test these experimental profiles and help improve them upstream if needed. Do not expect these profiles to work out-of-the-box.