[Touch-packages] [Bug 2009230] [NEW] AppArmor denials for rsyslog

Georgia Garcia Fri, 03 Mar 2023 13:20:34 -0800

Public bug reported:

The AppArmor profile for rsyslog, which had been disabled on previous
Ubuntu versions, was enabled in lunar.


The package google-compute-engine added a config file to rsyslog which
requires rw access to /dev/console

google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
# Google Compute Engine default console logging.
#
# daemon: logging from Google provided daemons.
# kern: logging information in case of an unexpected crash during boot.
#
daemon,kern.* /dev/console

google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
google-compute-engine: /etc/rsyslog.d/90-google.conf

So in gce cloud images, we are getting the following denials:

[ 1500.302082] audit: type=1400 audit(1677876883.728:495):
apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0


To fix it, we just need to add 
  /dev/console rw,
to /etc/apparmor.d/usr.sbin.rsyslogd

** Affects: gce-compute-image-packages (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: rsyslog (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2009230

Title:
  AppArmor denials for rsyslog

Status in gce-compute-image-packages package in Ubuntu:
  New
Status in rsyslog package in Ubuntu:
  New

Bug description:
  The AppArmor profile for rsyslog, which had been disabled on previous
  Ubuntu versions, was enabled in lunar.

  The package google-compute-engine added a config file to rsyslog which
  requires rw access to /dev/console

  google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
  # Google Compute Engine default console logging.
  #
  # daemon: logging from Google provided daemons.
  # kern: logging information in case of an unexpected crash during boot.
  #
  daemon,kern.* /dev/console

  google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
  google-compute-engine: /etc/rsyslog.d/90-google.conf

  So in gce cloud images, we are getting the following denials:

  [ 1500.302082] audit: type=1400 audit(1677876883.728:495):
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
  requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0

  
  To fix it, we just need to add 
    /dev/console rw,
  to /etc/apparmor.d/usr.sbin.rsyslogd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/2009230/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2009230] [NEW] AppArmor denials for rsyslog

Reply via email to