I'm having second thoughts about the "deny / r," rule, because it affects rsyslog as a whole, and not just the imfile module.
With that rule in place, we won't know (via apparmor logs) if we are suddenly blocking something else in rsyslog, and this could make troubleshooting harder in the future. The alternative is to allow it: "/ r," essentially, like it's being done for "/var/" and "/var/log/". There is no easy way to add the rule for "/" just when the imfile module is being used. I'll discuss this with @jjohansen next week. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/2101180 Title: Multiple DENIED apparmor messages when using rsyslog with the imfile module Status in rsyslog package in Ubuntu: In Progress Status in rsyslog source package in Noble: New Status in rsyslog source package in Oracular: New Status in rsyslog source package in Plucky: In Progress Bug description: When enabling the imfile module in order to watch /var/log/audit/audit.log file, the following traces are generated in logs regularly : type=AVC msg=audit(1741370794.968:9963561): apparmor="DENIED" operation="open" profile="rsyslogd" name="/" pid=67348 comm="in:imfile" requested_mask="r" denied_mask="r" fsuid=106 ouid=0 type=AVC msg=audit(1741370794.968:9963562): apparmor="DENIED" operation="open" profile="rsyslogd" name="/var/" pid=67348 comm="in:imfile" requested_mask="r" denied_mask="r" fsuid=106 ouid=0 type=AVC msg=audit(1741370794.968:9963563): apparmor="DENIED" operation="open" profile="rsyslogd" name="/var/log/" pid=67348 comm="in:imfile" requested_mask="r" denied_mask="r" fsuid=106 ouid=0 As a small fix, I had to add the following lines into the rsyslogd apparmor configuration file : / r, /var r, /var/** r, Could it be a possible bug ? Behaviour detected on Ubuntu 22.04 rsyslog package : 8.2406.0-1ubuntu2 Behaviour expected : No DENIED apparmor actions when using the imfile module. Thanks ! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2101180/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
