[ubuntu/noble-proposed] rsyslog 8.2312.0-2ubuntu1 (Accepted)
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Sat Jan 6 18:07:12 UTC 2024
rsyslog (8.2312.0-2ubuntu1) noble; urgency=medium
Merge with Debian unstable (LP: #2045033). Remaining changes:
- d/00rsyslog.conf, d/rsyslog.postinst, d/rsyslog.install: Install
tmpfiles.d snippet to ensure that the syslog group can write into
/var/log/.
- debian/50-default.conf: set of default rules for syslog
+ debian/50-default.conf: separated default rules
+ d/rsyslog.install: install default rules
+ d/rsyslog.postrm: clear default rules on purge
+ d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
+ d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
+ debian/control: Add Depends for ucf
- debian/rsyslog.conf:
+ enable $RepeatedMsgReduction to avoid bloating the syslog file.
+ enable $KLogPermitNonKernelFacility for non-kernel klog messages
+ Run as syslog:syslog, set $FileOwner to syslog
+ Remove rules moved to 50-default.conf
- Add AppArmor profile, enabled by default, with support for
AppArmor configuration snippets:
+ d/rsyslog.install: install apparmor rule
+ d/rsyslog.postinst: remove disabling of apparmor on upgrades if
we are upgrading from a version older than $now.
+ d/rules: use dh_apparmor to install profile before rsyslog is started
+ d/control: suggests apparmor (>= 2.3), Build-Depends on
dh-apparmor
+ d/rsyslog.dirs: install /etc/apparmor.d/rsyslog.d
+ d/usr.sbin.rsyslogd apparmor profile for rsyslogd
+ d/{apparmor/rsyslog-mysql,rsyslog-mysql.install}: add apparmor
profile for mysql plugin
+ d/{apparmor/rsyslog-pgsql,rsyslog-pgsql.install}: add apparmor
profile for postgresql plugin
+ d/{apparmor/rsyslog-gnutls.apparmor,rsyslog-gnutls.install}: add
apparmor profile for the gnutls plugin
+ d/{apparmor/rsyslog-openssl.apparmor,rsyslog-gnutls.install}: add
apparmor profile for the openssl plugin
+ New script to reload apparmor profile:
- d/rsyslog.service: reload apparmor profile in ExecStartPre and
set StandardError to journal so we can see errors from the
script
- d/rsyslog.install: install reload-apparmor-profile
- d/reload-apparmor-profile: script to reload the
rsyslogd apparmor profile
+ d/NEWS: add info about apparmor changes in the Ubuntu packaging
+ d/rsyslog.docs, d/README.apparmor: explains how the dynamic
component of the rsyslog apparmor profile is applied
+ d/README.apparmor.rsyslog.d, d/rsyslog.install: install a specific
README file in the apparmor include directory for rsyslog
- d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
- Drop [mm|pm]normalize modules, depending on liblognorm from universe.
+ d/rules: drop --enable-mmnormalize & --enable-pmnormalize
+ d/rsyslog.install: remove mmnormalize
- run as user syslog
+ d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
+ d/rsyslog.postinst: Create syslog user and add it to adm group
+ d/rsyslog.postinst: Adapt privileges for /var/log
+ debian/control: Add Depends for adduser
- d/dmesg.service, d/rsyslog.install: provide /var/log/dmesg.log as
non log-rotated log for boot-time kernel messages.
- debian/clean: Delete some files left over by the test suite
- Add DEP8 tests (LP #1906333): + d/t/control, d/t/simple-logger:
simple logger test
+ d/t/utils: common function(s)
+ d/t/control, d/t/simple-mysql: DEP8 test using rsyslog with a MySQL server
+ d/t/control, d/t/simple-pgsql: DEP8 test using rsyslog with a PostgreSQL server
+ d/t/apparmor-include-mechanism: DEP8 test for the rsyslog.d include mechanism used by the rsyslog apparmor profile
+ ubuntu: update debian/rsyslog.logcheck.ignore.server
+ Amend list of expected messages d/rsyslog.logcheck.ignore.server
to fix6 armhf autopkgtest (LP #2028935)
* New changes:
+ ubuntu: add CAP_MAC_ADMIN, CAP_SETUID, CAP_SETGID
+ ubuntu: adjust sandboxing
+ d/p/omusrmsg-bugfix-potential-double-free-which-can-caus.patch
* Dropped changes, included in Debian:
+ ubuntu: fix debian/tests/logcheck - apparmor restrictions
rsyslog (8.2312.0-2) unstable; urgency=medium
* Add CAP_DAC_OVERRIDE to CapabilityBoundingSet in rsyslog.service.
It avoids problems when writing to log files by 3rd party programs that
are spawned via omprog. It also makes fileOwner/fileGroup work with
omfile. (Closes: #1059768)
rsyslog (8.2312.0-1) unstable; urgency=medium
* New upstream version 8.2312.0
rsyslog (8.2310.0-4) unstable; urgency=medium
* Drop BindPaths=-/dev/xconsole from rsyslog.service.
This needs to be removed after the switch to /run/xconsole.
(Closes: #1056066)
rsyslog (8.2310.0-3) unstable; urgency=medium
* Drop unused --with-systemdsystemunitdir configure switch.
It's not actually used since we install debian/rsyslog.service via
dh_installsystemd.
* Recommend /run/xconsole for message forwarding to xconsole.
The recent sandboxing of rsyslog broke message forwarding to
/dev/xconsole. It is recommended to use /run/xconsole instead and
replace /dev/xconsole with a symlink pointing at /run/xconsole.
Update the example files and add a corresponding NEWS entry.
(Closes: #1056066)
rsyslog (8.2310.0-2) unstable; urgency=medium
[ Richard Lewis ]
* Update autopkgtest now that rsyslog.service is hardened
Previously, rsyslog was told to put its entries in
/tmp/test-rsyslog-syslog.log which was then checked with logcheck.
But rsyslog.service now runs with PrivateTmp=true which means
test-rsyslog-syslog.log is not available after the service ends.
(Additionally, improve diagnostic messages when no output was detected)
(Closes: #1053898)
[ Michael Biebl ]
* Limit exposure to remote access.
Use `RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX` to limit the set
of socket address families accessible to rsyslog.
Thanks to Robert Edmonds <edmonds at debian.org>
* Make /dev/xconsole available in rsyslog.service.
This was broken by the recent hardening of the service. Make the
xconsole pipe available if enabled. (Closes: #1053913)
rsyslog (8.2310.0-1) unstable; urgency=medium
* New upstream version 8.2310.0
* Enable various systemd sandboxing and security hardening features in
rsyslog.service (Closes: #688889, #771636)
rsyslog (8.2308.0-1) unstable; urgency=medium
* New upstream version 8.2308.0
Date: Wed, 03 Jan 2024 14:20:22 +0100
Changed-By: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Nick Rosbrook <nick.rosbrook at canonical.com>
https://launchpad.net/ubuntu/+source/rsyslog/8.2312.0-2ubuntu1
-------------- next part --------------
Format: 1.8
Date: Wed, 03 Jan 2024 14:20:22 +0100
Source: rsyslog
Built-For-Profiles: noudeb
Architecture: source
Version: 8.2312.0-2ubuntu1
Distribution: noble
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
Closes: 688889 771636 1053898 1053913 1056066 1059768
Launchpad-Bugs-Fixed: 2045033
Changes:
rsyslog (8.2312.0-2ubuntu1) noble; urgency=medium
.
Merge with Debian unstable (LP: #2045033). Remaining changes:
- d/00rsyslog.conf, d/rsyslog.postinst, d/rsyslog.install: Install
tmpfiles.d snippet to ensure that the syslog group can write into
/var/log/.
- debian/50-default.conf: set of default rules for syslog
+ debian/50-default.conf: separated default rules
+ d/rsyslog.install: install default rules
+ d/rsyslog.postrm: clear default rules on purge
+ d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
+ d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
+ debian/control: Add Depends for ucf
- debian/rsyslog.conf:
+ enable $RepeatedMsgReduction to avoid bloating the syslog file.
+ enable $KLogPermitNonKernelFacility for non-kernel klog messages
+ Run as syslog:syslog, set $FileOwner to syslog
+ Remove rules moved to 50-default.conf
- Add AppArmor profile, enabled by default, with support for
AppArmor configuration snippets:
+ d/rsyslog.install: install apparmor rule
+ d/rsyslog.postinst: remove disabling of apparmor on upgrades if
we are upgrading from a version older than $now.
+ d/rules: use dh_apparmor to install profile before rsyslog is started
+ d/control: suggests apparmor (>= 2.3), Build-Depends on
dh-apparmor
+ d/rsyslog.dirs: install /etc/apparmor.d/rsyslog.d
+ d/usr.sbin.rsyslogd apparmor profile for rsyslogd
+ d/{apparmor/rsyslog-mysql,rsyslog-mysql.install}: add apparmor
profile for mysql plugin
+ d/{apparmor/rsyslog-pgsql,rsyslog-pgsql.install}: add apparmor
profile for postgresql plugin
+ d/{apparmor/rsyslog-gnutls.apparmor,rsyslog-gnutls.install}: add
apparmor profile for the gnutls plugin
+ d/{apparmor/rsyslog-openssl.apparmor,rsyslog-gnutls.install}: add
apparmor profile for the openssl plugin
+ New script to reload apparmor profile:
- d/rsyslog.service: reload apparmor profile in ExecStartPre and
set StandardError to journal so we can see errors from the
script
- d/rsyslog.install: install reload-apparmor-profile
- d/reload-apparmor-profile: script to reload the
rsyslogd apparmor profile
+ d/NEWS: add info about apparmor changes in the Ubuntu packaging
+ d/rsyslog.docs, d/README.apparmor: explains how the dynamic
component of the rsyslog apparmor profile is applied
+ d/README.apparmor.rsyslog.d, d/rsyslog.install: install a specific
README file in the apparmor include directory for rsyslog
- d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
- Drop [mm|pm]normalize modules, depending on liblognorm from universe.
+ d/rules: drop --enable-mmnormalize & --enable-pmnormalize
+ d/rsyslog.install: remove mmnormalize
- run as user syslog
+ d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
+ d/rsyslog.postinst: Create syslog user and add it to adm group
+ d/rsyslog.postinst: Adapt privileges for /var/log
+ debian/control: Add Depends for adduser
- d/dmesg.service, d/rsyslog.install: provide /var/log/dmesg.log as
non log-rotated log for boot-time kernel messages.
- debian/clean: Delete some files left over by the test suite
- Add DEP8 tests (LP #1906333): + d/t/control, d/t/simple-logger:
simple logger test
+ d/t/utils: common function(s)
+ d/t/control, d/t/simple-mysql: DEP8 test using rsyslog with a MySQL server
+ d/t/control, d/t/simple-pgsql: DEP8 test using rsyslog with a PostgreSQL server
+ d/t/apparmor-include-mechanism: DEP8 test for the rsyslog.d include mechanism used by the rsyslog apparmor profile
+ ubuntu: update debian/rsyslog.logcheck.ignore.server
+ Amend list of expected messages d/rsyslog.logcheck.ignore.server
to fix6 armhf autopkgtest (LP #2028935)
.
* New changes:
+ ubuntu: add CAP_MAC_ADMIN, CAP_SETUID, CAP_SETGID
+ ubuntu: adjust sandboxing
+ d/p/omusrmsg-bugfix-potential-double-free-which-can-caus.patch
.
* Dropped changes, included in Debian:
+ ubuntu: fix debian/tests/logcheck - apparmor restrictions
.
rsyslog (8.2312.0-2) unstable; urgency=medium
.
* Add CAP_DAC_OVERRIDE to CapabilityBoundingSet in rsyslog.service.
It avoids problems when writing to log files by 3rd party programs that
are spawned via omprog. It also makes fileOwner/fileGroup work with
omfile. (Closes: #1059768)
.
rsyslog (8.2312.0-1) unstable; urgency=medium
.
* New upstream version 8.2312.0
.
rsyslog (8.2310.0-4) unstable; urgency=medium
.
* Drop BindPaths=-/dev/xconsole from rsyslog.service.
This needs to be removed after the switch to /run/xconsole.
(Closes: #1056066)
.
rsyslog (8.2310.0-3) unstable; urgency=medium
.
* Drop unused --with-systemdsystemunitdir configure switch.
It's not actually used since we install debian/rsyslog.service via
dh_installsystemd.
* Recommend /run/xconsole for message forwarding to xconsole.
The recent sandboxing of rsyslog broke message forwarding to
/dev/xconsole. It is recommended to use /run/xconsole instead and
replace /dev/xconsole with a symlink pointing at /run/xconsole.
Update the example files and add a corresponding NEWS entry.
(Closes: #1056066)
.
rsyslog (8.2310.0-2) unstable; urgency=medium
.
[ Richard Lewis ]
* Update autopkgtest now that rsyslog.service is hardened
Previously, rsyslog was told to put its entries in
/tmp/test-rsyslog-syslog.log which was then checked with logcheck.
But rsyslog.service now runs with PrivateTmp=true which means
test-rsyslog-syslog.log is not available after the service ends.
(Additionally, improve diagnostic messages when no output was detected)
(Closes: #1053898)
.
[ Michael Biebl ]
* Limit exposure to remote access.
Use `RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX` to limit the set
of socket address families accessible to rsyslog.
Thanks to Robert Edmonds <edmonds at debian.org>
* Make /dev/xconsole available in rsyslog.service.
This was broken by the recent hardening of the service. Make the
xconsole pipe available if enabled. (Closes: #1053913)
.
rsyslog (8.2310.0-1) unstable; urgency=medium
.
* New upstream version 8.2310.0
* Enable various systemd sandboxing and security hardening features in
rsyslog.service (Closes: #688889, #771636)
.
rsyslog (8.2308.0-1) unstable; urgency=medium
.
* New upstream version 8.2308.0
Checksums-Sha1:
df14c6a6a80724c4305df06d1265f42a8166b136 3528 rsyslog_8.2312.0-2ubuntu1.dsc
908645e482717d0784112aec45ea613e1970b9d6 3358109 rsyslog_8.2312.0.orig.tar.gz
4d9e5245e3123cbdacdb15b22fcf84a1ef892d6a 47748 rsyslog_8.2312.0-2ubuntu1.debian.tar.xz
8b8043651d9fd3680769727b112b5430e122ef09 9724 rsyslog_8.2312.0-2ubuntu1_source.buildinfo
Checksums-Sha256:
1cacf743a7181358231731b44324f723aef525e4cef8945bbad58f8b8babf567 3528 rsyslog_8.2312.0-2ubuntu1.dsc
774032006128a896437f5913e132aa27dbfb937cd8847e449522d5a12d63d03e 3358109 rsyslog_8.2312.0.orig.tar.gz
74be6f059bcc85eba3b026db2c8f44c1b4acd39b58eedb8e0d068420e0e5253a 47748 rsyslog_8.2312.0-2ubuntu1.debian.tar.xz
d094c33cd168f5663bd1b053186558c585eafe8e5698669020ebe58507ce2b1a 9724 rsyslog_8.2312.0-2ubuntu1_source.buildinfo
Files:
ae3c98be4d757937587c8b485d94e10b 3528 admin optional rsyslog_8.2312.0-2ubuntu1.dsc
632381aead68840967c74fbb564436cc 3358109 admin optional rsyslog_8.2312.0.orig.tar.gz
b98940bd3b52279c4165850bac41eac2 47748 admin optional rsyslog_8.2312.0-2ubuntu1.debian.tar.xz
f7c00ef2a21e872586289829590bc225 9724 admin optional rsyslog_8.2312.0-2ubuntu1_source.buildinfo
Original-Maintainer: Michael Biebl <biebl at debian.org>
Vcs-Git: https://git.launchpad.net/~xypron/ubuntu/+source/rsyslog
Vcs-Git-Commit: ed3634b9d137a142579e2d47da7005475ec4f0af
Vcs-Git-Ref: refs/heads/merge-lp2045033-noble-8.2312.0-2
More information about the noble-changes
mailing list