[apparmor] [patch] /sbin/klogd and /sbin/syslog* moved to /usr/sbin

Steve Beattie steve at nxnw.org
Sat Mar 7 14:30:51 UTC 2015 

On Sat, Feb 28, 2015 at 07:29:29PM +0100, Christian Boltz wrote:
> klogd, syslog-ng and syslogd moved from /sbin/ to /usr/sbin/ on openSUSE. 
> Therefore this patch updates the profile to follow the move.
> 
> I remember the discussion that a "named" profile looks better in such
> cases, therefore I'm using "profile klogd" instead of just adding the
> optional /usr path segment.
> 
> The interesting question is if we want to apply this patch to 2.8 and 2.9.
> This would mean applying the profile on older openSUSE releases which
> currently run klogd, syslog-ng and syslogd without AppArmor protection/
> restrictions. (Yes, the move happened quite some time ago.)
> 
> I just copied the syslog-ng profile to an openSUSE 13.1 server, so I'll 
> at least see what happens for syslog-ng ;-)
> 
> First impressions from this server:
> type=AVC msg=audit(1425146612.725:30560219): apparmor="ALLOWED" operation="open" parent=1 profile="syslog-ng" name="/etc/ssl/openssl.cnf" pid=32127 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1425146612.753:30560220): apparmor="ALLOWED" operation="chmod" parent=1 profile="syslog-ng" name="/run/systemd/journal/syslog" pid=32127 comm="syslog-ng" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
> 
> ... but aa-logprof (both 2.8.3 and bzr trunk) don't ask for any profile
> additions :-/  
> When changing the profile to "/usr/sbin/syslog-ng" and using fresh log 
> entries, it works, so there must be some problem with named profiles. 
> Nice[tm]...
> 
> 
> Anyway, let's make sure the profiles are used now. We can still add 
> the missing permissions later.

Acked-by: Steve Beattie <steve at nxnw.org> for trunk. I'd prefer this for
2.9 as well, but perhaps only after we've fixed some of the tooling
issues for named profiles, I don't think we should add it for 2.8.

Thanks.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150307/71308b16/attachment.pgp>

More information about the AppArmor mailing list