[apparmor] config check exceptions
Michael Ströder
michael at stroeder.com
Fri Sep 17 14:57:11 UTC 2021
HI!
I have the following ansible task for installing rsyslog config file:
- name: "Generate rsyslog configuration"
template:
src: "rsyslog.conf.j2"
dest: "/etc/rsyslog.conf"
owner: root
group: root
mode: 0o0644
validate: "/usr/sbin/rsyslogd -N 1 -f %s"
notify:
- "restart rsyslog"
As you can see the argument "validate" invokes rsyslogd executable to
check the config *before* installing it to the final destination.
This leads to violation of AppArmor profile
/etc/apparmor.d/usr.sbin.rsyslogd also applied when running this
executable only for config validation:
type=AVC msg=audit(1631883703.061:3603): apparmor="DENIED"
operation="open" profile="/usr/sbin/rsyslogd"
name="/root/.ansible/tmp/ansible-tmp-1631883699.503673-9416-242746370879968/source"
pid=13760 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
But I'd like to avoid adding rules to grant read access to
/root/.ansible/tmp/.
Any idea how to disable the AppArmor profile only in case of this config
check?
Ciao, Michael.
More information about the AppArmor
mailing list