[Bug 1766600] Re: [bionic] apparmor denial for rsyslog modules in multiarch directory and pidfile

[Jamie Strandboge]

** Description changed:

  With the new bionic upload, when the apparmor profile is enabled,
- rsyslog fails to start (and cause upgrade issues) due to:
+ rsyslog fails to start (and causes upgrade issues) due to:
  
  AVC apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/rsyslogd"
  name="/usr/lib/x86_64-linux-gnu/rsyslog/lmnet.so" pid=19949
  comm="rsyslogd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
  
  The profile has this rule:
  
    /usr/lib{,32,64}/rsyslog/*.so mr,
  
  but the new upload puts modules in /usr/lib/x86_64-linux-gnu/rsyslog so
  this rule should be adjusted to:
  
    /usr/lib{,32,64}/{,@{multiarch}/}rsyslog/*.so mr,
  
  Fixing that reveals this denial:
  
  AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/rsyslogd"
  name="/run/rsyslogd.pid.tmp" pid=2741 comm="rsyslogd" requested_mask="c"
  denied_mask="c" fsuid=0 ouid=0
  
  So we need to adjust this:
  
-   /{,var/}run/rsyslogd.pid rwk,
+   /{,var/}run/rsyslogd.pid rwk,
  
  to be:
  
-   /{,var/}run/rsyslogd.pid{,.tmp} rwk,
+   /{,var/}run/rsyslogd.pid{,.tmp} rwk,

** Tags added: apparmor

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1766600

Title:
  [bionic] apparmor denial for rsyslog modules in multiarch directory
  and pidfile

Status in rsyslog package in Ubuntu:
  In Progress

Bug description:
  With the new bionic upload, when the apparmor profile is enabled,
  rsyslog fails to start (and causes upgrade issues) due to:

  AVC apparmor="DENIED" operation="file_mmap"
  profile="/usr/sbin/rsyslogd" name="/usr/lib/x86_64-linux-
  gnu/rsyslog/lmnet.so" pid=19949 comm="rsyslogd" requested_mask="m"
  denied_mask="m" fsuid=0 ouid=0

  The profile has this rule:

    /usr/lib{,32,64}/rsyslog/*.so mr,

  but the new upload puts modules in /usr/lib/x86_64-linux-gnu/rsyslog
  so this rule should be adjusted to:

    /usr/lib{,32,64}/{,@{multiarch}/}rsyslog/*.so mr,

  Fixing that reveals this denial:

  AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/rsyslogd"
  name="/run/rsyslogd.pid.tmp" pid=2741 comm="rsyslogd"
  requested_mask="c" denied_mask="c" fsuid=0 ouid=0

  So we need to adjust this:

    /{,var/}run/rsyslogd.pid rwk,

  to be:

    /{,var/}run/rsyslogd.pid{,.tmp} rwk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1766600/+subscriptions