746965 – sec-policy/apparmor-profiles - syslog-ng profile denies syslog-ng operations

Bug 746965 - sec-policy/apparmor-profiles - syslog-ng profile denies syslog-ng operations

Summary: sec-policy/apparmor-profiles - syslog-ng profile denies syslog-ng operations

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-10-07 01:06 UTC by Angel Chinchilla
Modified:	2021-01-31 17:01 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge info (file_746965.txt,5.91 KB, text/plain) 2020-10-07 01:06 UTC, Angel Chinchilla	Details
aa-status (file_746965.txt,1.61 KB, text/plain) 2020-10-07 01:15 UTC, Angel Chinchilla	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Angel Chinchilla 2020-10-07 01:06:19 UTC

Created attachment 664141 [details]
emerge info

For the moment, i set syslog-ng profile in complain

Oct  6 18:23:38 angel-latitude7350 kernel: audit: type=1400 audit(1602030218.244:552): apparmor="DENIED" operation="open" profile="syslog-ng" name="/proc/6286/cmdline" pid=3247 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
Oct  6 18:23:38 angel-latitude7350 kernel: audit: type=1400 audit(1602030218.244:553): apparmor="DENIED" operation="open" profile="syslog-ng" name="/proc/6286/loginuid" pid=3247 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0
 ouid=0
Oct  6 18:23:38 angel-latitude7350 kernel: audit: type=1400 audit(1602030218.244:554): apparmor="DENIED" operation="open" profile="syslog-ng" name="/proc/6286/sessionid" pid=3247 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=
0 ouid=0
Oct  6 18:24:06 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)'
Oct  6 18:24:06 angel-latitude7350 kernel: audit: type=1400 audit(1602030246.015:555): apparmor="DENIED" operation="open" profile="syslog-ng" name="/dev/tty12" pid=3247 comm="syslog-ng" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0
Oct  6 18:25:06 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)'
Oct  6 18:25:06 angel-latitude7350 kernel: audit: type=1400 audit(1602030306.015:556): apparmor="DENIED" operation="open" profile="syslog-ng" name="/dev/tty12" pid=3247 comm="syslog-ng" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0
Oct  6 18:26:06 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)'
Oct  6 18:26:06 angel-latitude7350 kernel: audit: type=1400 audit(1602030366.015:557): apparmor="DENIED" operation="open" profile="syslog-ng" name="/dev/tty12" pid=3247 comm="syslog-ng" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0
Oct  6 18:26:55 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)'

Comment 1 Angel Chinchilla 2020-10-07 01:15:49 UTC

Created attachment 664144 [details]
aa-status

Comment 2 onkobu 2021-01-31 17:01:58 UTC

The profile itself is broken. Syslog-ng has its executable in /usr/sbin (equery -f syslog-ng | grep syslog-ng) while the profile is named (/etc/apparmor.d/)sbin.syslog-ng.

Instead the profile (in /etc/apparmor.d) must be renamed to usr.sbin.syslog-ng. After that it also needs to be adjusted. To get out of this:

1. as root, in /etc/apparmor.d/, cp sbin.syslog-ng usr.sbin.syslog-ng
2. reload apparmor service, e.g. /etc/init.d/apparmor reload
3. let it settle for a while, still printing out errors/ warnings to /var/log/messages
4. run aa-genprof /usr/sbin/syslog-ng

The last step will suggest some modifications of the existing profile. You can skip/ quit at any time. It will suggest some read-permissions and at least one additional write-permission depending on the syslog-ng-settings. (Basically it spills out on TTY12, too.)

I can confirm that syslog-ng runs fine without any of the modifications mentioned here. But it spills the log with pointless warnings. (I assume syslog-ng's config is on purpose and writing log to TTY12 is intentional.)