[Bug 2056768] Re: apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/"

Jarno P 2056768 at bugs.launchpad.net
Tue Aug 20 10:32:17 UTC 2024 

I confirm having the same issue on a baremetal x86_amd64 server running
Ubuntu 24.04 LTS (automatic updates on).

syslog gets occasional line pairs like this:

```
2024-08-16T13:25:25.532537+03:00 hostname kernel: __common_interrupt: 5.36 No irq handler for vector
2024-08-16T13:25:25.542460+03:00 hostname kernel: audit: type=1400 audit(1723803925.541:163): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/" pid=2705 comm=72733A6D61696E20513A526567 requested_mask="r" denied_mask="r" fsuid=101 ouid=0

...

2024-08-17T05:52:58.123033+03:00 hostname kernel: __common_interrupt: 3.36 No irq handler for vector
2024-08-17T05:52:58.128463+03:00 hostname kernel: audit: type=1400 audit(1723863178.125:165): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/" pid=2705 comm=72733A6D61696E20513A526567 requested_mask="r" denied_mask="r" fsuid=101 ouid=0

...


2024-08-19T11:47:28.122187+03:00 hostname kernel: __common_interrupt: 5.37 No irq handler for vector
2024-08-19T11:47:28.126460+03:00 hostname kernel: audit: type=1400 audit(1724057248.124:169): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/" pid=2705 comm=72733A6D61696E20513A526567 requested_mask="r" denied_mask="r" fsuid=101 ouid=0

```

The "No irq handler for vector" occurs before every apparmor=DENIED
(rsyslog) line, and only then.

## Versions

Package: rsyslog
Architecture: amd64
Version: 8.2312.0-3ubuntu9

Package: apparmor
Architecture: amd64
Version: 4.0.0-beta3-0ubuntu3

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2056768

Title:
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/run/systemd/sessions/"

Status in rsyslog package in Ubuntu:
  Confirmed
Status in rsyslog source package in Noble:
  Confirmed

Bug description:
  There is an AppArmor regression in current noble. In cockpit we
  recently started to test on noble (to prevent the "major regressions
  after release" fiasco from 23.10 again).

  For some weird reason, rsyslog is installed *by default* [1] in the
  cloud images. That is a rather pointless waste of CPU and disk space,
  as it's an unnecessary running daemon and duplicates all the written
  logs.

  But more specifically, we noticed [2] an AppArmor rejection.
  Reproducer is simple:

      logger -p user.emerg --tag check-journal EMERGENCY_MESSAGE

  this causes

      type=1400 audit(1710168739.345:108): apparmor="DENIED"
  operation="open" class="file" profile="rsyslogd"
  name="/run/systemd/sessions/" pid=714 comm=72733A6D61696E20513A526567
  requested_mask="r" denied_mask="r" fsuid=102 ouid=0

  Note that it doesn't actually fail, the "EMERGENCY_MESSAGE" does
  appear in the journal and also in /var/log/syslog. But it's some noise
  that triggers our (and presumbly other admin's) log detectors.

  
  rsyslog 8.2312.0-3ubuntu3
  apparmor 4.0.0~alpha4-0ubuntu1


  [1] https://cloud-images.ubuntu.com/daily/server/noble/current/noble-server-cloudimg-amd64.manifest
  [2] https://cockpit-logs.us-east-1.linodeobjects.com/pull-6048-20240311-125838-b465e9b2-ubuntu-stable-other-cockpit-project-cockpit/log.html#118

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2056768/+subscriptions

More information about the foundations-bugs mailing list