[Bug 2101180] [NEW] Multiple DENIED apparmor messages when using rsyslog with the imfile module
Launchpad Bug Tracker
2101180 at bugs.launchpad.net
Fri Mar 7 18:59:36 UTC 2025
You have been subscribed to a public bug:
When enabling the imfile module in order to watch
/var/log/audit/audit.log file, the following traces are generated in
logs regularly :
type=AVC msg=audit(1741370794.968:9963561): apparmor="DENIED" operation="open" profile="rsyslogd" name="/" pid=67348 comm="in:imfile" requested_mask="r" denied_mask="r" fsuid=106 ouid=0
type=AVC msg=audit(1741370794.968:9963562): apparmor="DENIED" operation="open" profile="rsyslogd" name="/var/" pid=67348 comm="in:imfile" requested_mask="r" denied_mask="r" fsuid=106 ouid=0
type=AVC msg=audit(1741370794.968:9963563): apparmor="DENIED" operation="open" profile="rsyslogd" name="/var/log/" pid=67348 comm="in:imfile" requested_mask="r" denied_mask="r" fsuid=106 ouid=0
As a small fix, I had to add the following lines into the rsyslogd
apparmor configuration file :
/ r,
/var r,
/var/** r,
Could it be a possible bug ?
Behaviour detected on Ubuntu 22.04
rsyslog package : 8.2406.0-1ubuntu2
Behaviour expected : No DENIED apparmor actions when using the imfile
module.
Thanks !
** Affects: rsyslog (Ubuntu)
Importance: Undecided
Status: New
--
Multiple DENIED apparmor messages when using rsyslog with the imfile module
https://bugs.launchpad.net/bugs/2101180
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
More information about the foundations-bugs
mailing list