[apparmor] config check exceptions
John Johansen
john.johansen at canonical.com
Fri Sep 17 16:41:53 UTC 2021
On 9/17/21 7:57 AM, Michael Ströder wrote:
> HI!
>
> I have the following ansible task for installing rsyslog config file:
>
> - name: "Generate rsyslog configuration"
> template:
> src: "rsyslog.conf.j2"
> dest: "/etc/rsyslog.conf"
> owner: root
> group: root
> mode: 0o0644
> validate: "/usr/sbin/rsyslogd -N 1 -f %s"
> notify:
> - "restart rsyslog"
>
> As you can see the argument "validate" invokes rsyslogd executable to
> check the config *before* installing it to the final destination.
> > This leads to violation of AppArmor profile
> /etc/apparmor.d/usr.sbin.rsyslogd also applied when running this
> executable only for config validation:
>
> type=AVC msg=audit(1631883703.061:3603): apparmor="DENIED"
> operation="open" profile="/usr/sbin/rsyslogd"
> name="/root/.ansible/tmp/ansible-tmp-1631883699.503673-9416-242746370879968/source"
> pid=13760 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
> But I'd like to avoid adding rules to grant read access to
> /root/.ansible/tmp/.
>
> Any idea how to disable the AppArmor profile only in case of this config
> check?
>
So I think all you need to do is create a secondary profile, lets call it
rsyslogd-configcheck. Give it all the same rules as the rsyslogd profile and the
extra rule to allow access to /root/.ansible/tmp/
Make sure the new profile is loaded. Now you can start rsyslogd using aa-exec to
put it in the alternate profile
aa-exec -p rsyslog-configcheck -- /usr/sbin/rsyslogd -N1 -f %s
More information about the AppArmor
mailing list