Hey Georgia! Sorry for the delay in writing back to you, I've been on a mix of PTO and sick leave the last couple of weeks...
I've prepared a MP to actually add the relevant config snippet (`/dev/console rw,`) into `/etc/apparmor.d/usr.sbin.rsyslogd` in our cloud bootstrap, tested it and it all seems well. However, John (on our team) made a good point that the AppArmor profile may not have this snippet by design - I understand you guys in Security would probably have the most oversight into this currently so before I merge the code do you see any issues with us forcing the profile to accept rw access to /dev/console? If so that's cool, I just want to check seeing as this profile is only now being enabled in Lunar :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/2009230 Title: AppArmor denials for rsyslog Status in gce-compute-image-packages package in Ubuntu: New Status in rsyslog package in Ubuntu: New Status in gce-compute-image-packages source package in Lunar: New Status in rsyslog source package in Lunar: New Bug description: The AppArmor profile for rsyslog, which had been disabled on previous Ubuntu versions, was enabled in lunar. The package google-compute-engine added a config file to rsyslog which requires rw access to /dev/console google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf # Google Compute Engine default console logging. # # daemon: logging from Google provided daemons. # kern: logging information in case of an unexpected crash during boot. # daemon,kern.* /dev/console google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf google-compute-engine: /etc/rsyslog.d/90-google.conf So in gce cloud images, we are getting the following denials: [ 1500.302082] audit: type=1400 audit(1677876883.728:495): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/dev/console" pid=603 comm=72733A6D61696E20513A526567 requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0 To fix it, we just need to add /dev/console rw, to /etc/apparmor.d/usr.sbin.rsyslogd or the same permission should be added to a file in /etc/apparmor.d/rsyslog.d/ by the google-compute-engine package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/2009230/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp