[Bug 2009230] Re: AppArmor denials for rsyslog
Georgia Garcia
2009230 at bugs.launchpad.net
Fri Mar 3 21:19:32 UTC 2023
** Also affects: gce-compute-image-packages (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
The AppArmor profile for rsyslog, which had been disabled on previous
Ubuntu versions, was enabled in lunar.
The package google-compute-engine added a config file to rsyslog which
requires rw access to /dev/console
google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
# Google Compute Engine default console logging.
#
# daemon: logging from Google provided daemons.
# kern: logging information in case of an unexpected crash during boot.
#
daemon,kern.* /dev/console
google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
google-compute-engine: /etc/rsyslog.d/90-google.conf
So in gce cloud images, we are getting the following denials:
[ 1500.302082] audit: type=1400 audit(1677876883.728:495):
apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0
+ To fix it, we just need to add
+ /dev/console rw,
+ to /etc/apparmor.d/usr.sbin.rsyslogd
- To fix it, we just need to add
- /dev/console rw,
- to /etc/apparmor.d/usr.sbin.rsyslogd
+ or the same permission should be added to a file in
+ /etc/apparmor.d/rsyslog.d/ by the google-compute-engine package
** Also affects: rsyslog (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: gce-compute-image-packages (Ubuntu Lunar)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2009230
Title:
AppArmor denials for rsyslog
Status in gce-compute-image-packages package in Ubuntu:
New
Status in rsyslog package in Ubuntu:
New
Status in gce-compute-image-packages source package in Lunar:
New
Status in rsyslog source package in Lunar:
New
Bug description:
The AppArmor profile for rsyslog, which had been disabled on previous
Ubuntu versions, was enabled in lunar.
The package google-compute-engine added a config file to rsyslog which
requires rw access to /dev/console
google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
# Google Compute Engine default console logging.
#
# daemon: logging from Google provided daemons.
# kern: logging information in case of an unexpected crash during boot.
#
daemon,kern.* /dev/console
google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
google-compute-engine: /etc/rsyslog.d/90-google.conf
So in gce cloud images, we are getting the following denials:
[ 1500.302082] audit: type=1400 audit(1677876883.728:495):
apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0
To fix it, we just need to add
/dev/console rw,
to /etc/apparmor.d/usr.sbin.rsyslogd
or the same permission should be added to a file in
/etc/apparmor.d/rsyslog.d/ by the google-compute-engine package
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/2009230/+subscriptions
More information about the foundations-bugs
mailing list