** Description changed: - Hi. + [rsyslog impact] + This bug prevents rsyslog from receiving all events from other services on trusty when the utopic-hwe (and newer) kernels are used. The rsyslog SRU adds an additional permission (read access to /dev/log) to the rsyslog apparmor policy to allow this to work. - I've noticed that apparmor loads /usr/sbin/rsyslogd profile for - completely unrelated processes: + [rsyslog test case] + (1) Ensure the rsyslog apparmor policy is set to enforce; it should show up listed in the "XX profiles are in enforce mode." section reported by "sudo aa-status" (if it's disabled, do "sudo aa-enforce rsyslogd"). + + (2) Install the utopic or newer hwe enablement stack reboot into the + kernel. Using the logger(1) utility should generate log messages (e.g. + "logger foo") that are recorded in syslog; with this bug, they will be + blocked (grep DENIED /var/log/syslog). + + [rsyslog regression potential] + The only change to rsyslog in the SRU is a slight loosening of the rsyslog apparmor policy. The risk of an introduced regression is small. + + [rsyslog addition info] + The qa-regression-testing script is useful for verifying that rsyslog is still functioning properly (http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-rsyslog.py) + + + [Original description] + I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes: Feb 25 08:36:19 emma kernel: [ 134.796218] audit: type=1400 audit(1424842579.429:245): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4002 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 25 08:36:23 emma kernel: [ 139.330989] audit: type=1400 audit(1424842583.965:246): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4080 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 25 08:35:42 emma kernel: [ 97.912402] audit: type=1400 audit(1424842542.565:241): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=2436 comm="whoopsie" requested_mask="r" denied_mask="r" fsuid=103 ouid=0 Feb 25 08:34:43 emma kernel: [ 38.867998] audit: type=1400 audit(1424842483.546:226): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3762 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - - I'm not sure how apparmor decides which profile to use for which task, but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc. - + I'm not sure how apparmor decides which profile to use for which task, + but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc. I'm running: # lsb_release -rd Description: Ubuntu 14.04.2 LTS Release: 14.04 # dpkg -l | grep apparmor ii apparmor 2.8.95~2430-0ubuntu5.1 amd64 User-space parser utility for AppArmor ii apparmor-profiles 2.8.95~2430-0ubuntu5.1 all Profiles for AppArmor Security policies ii apparmor-utils 2.8.95~2430-0ubuntu5.1 amd64 Utilities for controlling AppArmor ii libapparmor-perl 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Perl bindings ii libapparmor1:amd64 2.8.95~2430-0ubuntu5.1 amd64 changehat AppArmor library ii python3-apparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor Python3 utility library ii python3-libapparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Python3 bindings # uname -a Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1425398 Title: Apparmor uses rsyslogd profile for different processes - utopic HWE To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1425398/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
