[Bug 2009230] Re: AppArmor denials for rsyslog

Andreas Hasenack 2009230 at bugs.launchpad.net
Fri Mar 24 21:54:05 UTC 2023 

We talked a bit on IRC[1], and for now we will start with allowing just
/dev/console access, specially since we are about to enter beta freeze,
and that is the less invasive option.

We will later investigate (maybe still within the beta) the tty group
membership issue. It looks like we had it before, so it's not clear how
we lost it: on purpose, or if the change was just lost.

1. https://irclogs.ubuntu.com/2023/03/23/%23ubuntu-security.html#t19:19

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/2009230

Title:
  AppArmor denials for rsyslog

Status in gce-compute-image-packages package in Ubuntu:
  New
Status in rsyslog package in Ubuntu:
  New
Status in gce-compute-image-packages source package in Lunar:
  New
Status in rsyslog source package in Lunar:
  New

Bug description:
  The AppArmor profile for rsyslog, which had been disabled on previous
  Ubuntu versions, was enabled in lunar.

  The package google-compute-engine added a config file to rsyslog which
  requires rw access to /dev/console

  google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
  # Google Compute Engine default console logging.
  #
  # daemon: logging from Google provided daemons.
  # kern: logging information in case of an unexpected crash during boot.
  #
  daemon,kern.* /dev/console

  google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
  google-compute-engine: /etc/rsyslog.d/90-google.conf

  So in gce cloud images, we are getting the following denials:

  [ 1500.302082] audit: type=1400 audit(1677876883.728:495):
  apparmor="DENIED" operation="open" class="file" profile="rsyslogd"
  name="/dev/console" pid=603 comm=72733A6D61696E20513A526567
  requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0

  To fix it, we just need to add
    /dev/console rw,
  to /etc/apparmor.d/usr.sbin.rsyslogd

  or the same permission should be added to a file in
  /etc/apparmor.d/rsyslog.d/ by the google-compute-engine package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/2009230/+subscriptions

More information about the foundations-bugs mailing list