Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 746965 - sec-policy/apparmor-profiles - syslog-ng profile denies syslog-ng operations
Summary: sec-policy/apparmor-profiles - syslog-ng profile denies syslog-ng operations
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: AMD64 Linux
: Normal normal
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-07 01:06 UTC by Angel Chinchilla
Modified: 2021-01-31 17:01 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge info (file_746965.txt,5.91 KB, text/plain)
2020-10-07 01:06 UTC, Angel Chinchilla
Details
aa-status (file_746965.txt,1.61 KB, text/plain)
2020-10-07 01:15 UTC, Angel Chinchilla
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Angel Chinchilla 2020-10-07 01:06:19 UTC
Created attachment 664141 [details]
emerge info

For the moment, i set syslog-ng profile in complain

Oct  6 18:23:38 angel-latitude7350 kernel: audit: type=1400 audit(1602030218.244:552): apparmor="DENIED" operation="open" profile="syslog-ng" name="/proc/6286/cmdline" pid=3247 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 
ouid=0
Oct  6 18:23:38 angel-latitude7350 kernel: audit: type=1400 audit(1602030218.244:553): apparmor="DENIED" operation="open" profile="syslog-ng" name="/proc/6286/loginuid" pid=3247 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0
 ouid=0
Oct  6 18:23:38 angel-latitude7350 kernel: audit: type=1400 audit(1602030218.244:554): apparmor="DENIED" operation="open" profile="syslog-ng" name="/proc/6286/sessionid" pid=3247 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=
0 ouid=0
Oct  6 18:24:06 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)'
Oct  6 18:24:06 angel-latitude7350 kernel: audit: type=1400 audit(1602030246.015:555): apparmor="DENIED" operation="open" profile="syslog-ng" name="/dev/tty12" pid=3247 comm="syslog-ng" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0
Oct  6 18:25:06 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)'
Oct  6 18:25:06 angel-latitude7350 kernel: audit: type=1400 audit(1602030306.015:556): apparmor="DENIED" operation="open" profile="syslog-ng" name="/dev/tty12" pid=3247 comm="syslog-ng" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0
Oct  6 18:26:06 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)'
Oct  6 18:26:06 angel-latitude7350 kernel: audit: type=1400 audit(1602030366.015:557): apparmor="DENIED" operation="open" profile="syslog-ng" name="/dev/tty12" pid=3247 comm="syslog-ng" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0
Oct  6 18:26:55 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)'
Comment 1 Angel Chinchilla 2020-10-07 01:15:49 UTC
Created attachment 664144 [details]
aa-status
Comment 2 onkobu 2021-01-31 17:01:58 UTC
The profile itself is broken. Syslog-ng has its executable in /usr/sbin (equery -f syslog-ng | grep syslog-ng) while the profile is named (/etc/apparmor.d/)sbin.syslog-ng.

Instead the profile (in /etc/apparmor.d) must be renamed to usr.sbin.syslog-ng. After that it also needs to be adjusted. To get out of this:

1. as root, in /etc/apparmor.d/, cp sbin.syslog-ng usr.sbin.syslog-ng
2. reload apparmor service, e.g. /etc/init.d/apparmor reload
3. let it settle for a while, still printing out errors/ warnings to /var/log/messages
4. run aa-genprof /usr/sbin/syslog-ng

The last step will suggest some modifications of the existing profile. You can skip/ quit at any time. It will suggest some read-permissions and at least one additional write-permission depending on the syslog-ng-settings. (Basically it spills out on TTY12, too.)

I can confirm that syslog-ng runs fine without any of the modifications mentioned here. But it spills the log with pointless warnings. (I assume syslog-ng's config is on purpose and writing log to TTY12 is intentional.)