[apparmor] [patch] /sbin/klogd and /sbin/syslog* moved to /usr/sbin

Christian Boltz apparmor at cboltz.de
Sat Feb 28 18:29:29 UTC 2015


Hello,

klogd, syslog-ng and syslogd moved from /sbin/ to /usr/sbin/ on openSUSE. 
Therefore this patch updates the profile to follow the move.

I remember the discussion that a "named" profile looks better in such
cases, therefore I'm using "profile klogd" instead of just adding the
optional /usr path segment.

The interesting question is if we want to apply this patch to 2.8 and 2.9.
This would mean applying the profile on older openSUSE releases which
currently run klogd, syslog-ng and syslogd without AppArmor protection/
restrictions. (Yes, the move happened quite some time ago.)

I just copied the syslog-ng profile to an openSUSE 13.1 server, so I'll 
at least see what happens for syslog-ng ;-)

First impressions from this server:
type=AVC msg=audit(1425146612.725:30560219): apparmor="ALLOWED" operation="open" parent=1 profile="syslog-ng" name="/etc/ssl/openssl.cnf" pid=32127 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1425146612.753:30560220): apparmor="ALLOWED" operation="chmod" parent=1 profile="syslog-ng" name="/run/systemd/journal/syslog" pid=32127 comm="syslog-ng" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

... but aa-logprof (both 2.8.3 and bzr trunk) don't ask for any profile
additions :-/  
When changing the profile to "/usr/sbin/syslog-ng" and using fresh log 
entries, it works, so there must be some problem with named profiles. 
Nice[tm]...


Anyway, let's make sure the profiles are used now. We can still add 
the missing permissions later.


[ profiles-sbin-usr-move.diff ]

=== modified file 'profiles/apparmor.d/sbin.klogd'
--- profiles/apparmor.d/sbin.klogd      2011-08-18 22:27:03 +0000
+++ profiles/apparmor.d/sbin.klogd      2015-02-28 18:00:20 +0000
@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-/sbin/klogd {
+profile klogd /{usr/,}sbin/klogd {
   #include <abstractions/base>
 
   capability sys_admin, # for backward compatibility with kernel <= 2.6.37
@@ -24,7 +24,7 @@
   @{PROC}/kallsyms             r,
   /dev/tty             rw,
 
-  /sbin/klogd          rmix,
+  /{usr/,}sbin/klogd           rmix,
   /var/log/boot.msg     rwl,
   /{,var/}run/klogd.pid    krwl,
   /{,var/}run/klogd/klogd.pid krwl,

=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
--- profiles/apparmor.d/sbin.syslog-ng  2014-09-03 19:24:00 +0000
+++ profiles/apparmor.d/sbin.syslog-ng  2015-02-28 18:00:55 +0000
@@ -15,7 +15,7 @@
 #define this to be where syslog-ng is chrooted
 @{CHROOT_BASE}=""
 
-/sbin/syslog-ng {
+profile syslog-ng /{usr/,}sbin/syslog-ng {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
@@ -41,7 +41,7 @@
   @{PROC}/kmsg r,
   /etc/hosts.deny r,
   /etc/hosts.allow r,
-  /sbin/syslog-ng mr,
+  /{usr/,}sbin/syslog-ng mr,
   /sys/devices/system/cpu/online r,
   /usr/share/syslog-ng/** r,
   # chrooted applications

=== modified file 'profiles/apparmor.d/sbin.syslogd'
--- profiles/apparmor.d/sbin.syslogd    2014-09-03 19:24:00 +0000
+++ profiles/apparmor.d/sbin.syslogd    2015-02-28 18:00:38 +0000
@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-/sbin/syslogd {
+profile syslogd /{usr/,}sbin/syslogd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/consoles>
@@ -32,7 +32,7 @@
   /dev/tty*                     w,
   /dev/xconsole                 rw,
   /etc/syslog.conf              r,
-  /sbin/syslogd                 rmix,
+  /{usr/,}sbin/syslogd                 rmix,
   /var/log/**                   rw,
   /{,var/}run/syslogd.pid          krwl,
   /{,var/}run/utmp                 rw,



Regards,

Christian Boltz
-- 
Einen "RL'schen Aufkleber" mit dem Hinweis "Werbung einwerfen verboten"
irgendwo in Usenet zu posten, hat rechtlich die gleiche Wirkung wie im
fahlen Mondenschein unter 1.000jährigen Eichen nackt einen Ausdruckstanz
gegen Spam aufzuführen...                  [Joerg Heidrich in d.a.n-a.m]




More information about the AppArmor mailing list