[Bug 2009230] Re: AppArmor denials for rsyslog

Chloé Smith 2009230 at bugs.launchpad.net
Thu Mar 23 01:18:13 UTC 2023 

Hey Georgia!

Sorry for the delay in writing back to you, I've been on a mix of PTO
and sick leave the last couple of weeks...

I've prepared a MP to actually add the relevant config snippet
(`/dev/console rw,`) into `/etc/apparmor.d/usr.sbin.rsyslogd` in our
cloud bootstrap, tested it and it all seems well.

However, John (on our team) made a good point that the AppArmor profile
may not have this snippet by design - I understand you guys in Security
would probably have the most oversight into this currently so before I
merge the code do you see any issues with us forcing the profile to
accept rw access to /dev/console? If so that's cool, I just want to
check seeing as this profile is only now being enabled in Lunar :)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2009230

Title:
  AppArmor denials for rsyslog

Status in gce-compute-image-packages package in Ubuntu:
  New
Status in rsyslog package in Ubuntu:
  New
Status in gce-compute-image-packages source package in Lunar:
  New
Status in rsyslog source package in Lunar:
  New

Bug description:
  The AppArmor profile for rsyslog, which had been disabled on previous
  Ubuntu versions, was enabled in lunar.

  The package google-compute-engine added a config file to rsyslog which
  requires rw access to /dev/console

  google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
  # Google Compute Engine default console logging.
  #
  # daemon: logging from Google provided daemons.
  # kern: logging information in case of an unexpected crash during boot.
  #
  daemon,kern.* /dev/console

  google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
  google-compute-engine: /etc/rsyslog.d/90-google.conf

  So in gce cloud images, we are getting the following denials:

  [ 1500.302082] audit: type=1400 audit(1677876883.728:495):
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
  requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0

  To fix it, we just need to add
    /dev/console rw,
  to /etc/apparmor.d/usr.sbin.rsyslogd

  or the same permission should be added to a file in
  /etc/apparmor.d/rsyslog.d/ by the google-compute-engine package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/2009230/+subscriptions

More information about the foundations-bugs mailing list