[Touch-packages] [Bug 2056768] Re: apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/"

Andreas Hasenack Tue, 20 Aug 2024 05:56:20 -0700

And once allowing reading the directory, the contents should also be
allowed:


[Sun Sep  1 16:00:46 2024] audit: type=1400 audit(1724157515.788:5238):
apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
name="/run/systemd/sessions/2" pid=1873 comm=72733A6D61696E20513A526567
requested_mask="r" denied_mask="r" fsuid=102 ouid=0


So this is what I came up with:
--- a/debian/usr.sbin.rsyslogd
+++ b/debian/usr.sbin.rsyslogd
@@ -26,6 +26,11 @@ profile rsyslogd /usr/sbin/rsyslogd {
   /etc/rsyslog.d/ r,
   /etc/rsyslog.d/** r,
   /{,var/}run/rsyslogd.pid{,.tmp} rwk,
+
+  # LP: #2056768
+  /{,var/}run/systemd/sessions/ r,
+  /{,var/}run/systemd/sessions/* r,
+
   /var/spool/rsyslog/ r,
   /var/spool/rsyslog/** rwk,


** Changed in: rsyslog (Ubuntu)
     Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: rsyslog (Ubuntu)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2056768

Title:
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/run/systemd/sessions/"

Status in rsyslog package in Ubuntu:
  In Progress
Status in rsyslog source package in Noble:
  Confirmed

Bug description:
  There is an AppArmor regression in current noble. In cockpit we
  recently started to test on noble (to prevent the "major regressions
  after release" fiasco from 23.10 again).

  For some weird reason, rsyslog is installed *by default* [1] in the
  cloud images. That is a rather pointless waste of CPU and disk space,
  as it's an unnecessary running daemon and duplicates all the written
  logs.

  But more specifically, we noticed [2] an AppArmor rejection.
  Reproducer is simple:

      logger -p user.emerg --tag check-journal EMERGENCY_MESSAGE

  this causes

      type=1400 audit(1710168739.345:108): apparmor="DENIED"
  operation="open" class="file" profile="rsyslogd"
  name="/run/systemd/sessions/" pid=714 comm=72733A6D61696E20513A526567
  requested_mask="r" denied_mask="r" fsuid=102 ouid=0

  Note that it doesn't actually fail, the "EMERGENCY_MESSAGE" does
  appear in the journal and also in /var/log/syslog. But it's some noise
  that triggers our (and presumbly other admin's) log detectors.

  
  rsyslog 8.2312.0-3ubuntu3
  apparmor 4.0.0~alpha4-0ubuntu1


  [1] 
https://cloud-images.ubuntu.com/daily/server/noble/current/noble-server-cloudimg-amd64.manifest
  [2] 
https://cockpit-logs.us-east-1.linodeobjects.com/pull-6048-20240311-125838-b465e9b2-ubuntu-stable-other-cockpit-project-cockpit/log.html#118

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2056768/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056768] Re: apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/"

Reply via email to