Bug 614068

Summary:	app-admin/syslog-ng does not work with sys-apps/apparmor
Product:	Gentoo Linux	Reporter:	vm666
Component:	Current packages	Assignee:	Michael Palimaka (kensington) <kensington>
Status:	RESOLVED TEST-REQUEST
Severity:	normal	CC:	hardened, hydrapolic, kfm, vk-gentoo-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	emerge-info.txt emerge-history.txt environment etc.portage.tbz2 logs.tbz2 sys-apps:apparmor-2.11.0:20170709-153203.log

Description vm666 2017-03-27 11:46:50 UTC

app-admin/syslog-ng fails to start when profiles from sec-policy/apparmor-profiles-2.10.1-r1 or 2.11.0 are loaded.
The error is:
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ...
Error parsing source, source plugin system not found in /etc/syslog-ng/syslog-ng.conf at line 25, column 14:
source src { system(); internal(); };
             ^^^^^^
The log contains:
apparmor="DENIED" operation="open" profile="syslog-ng" name="/usr/share/include/scl/" pid=2495 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I fixed this (plus other DENIED errors) by adding these AppArmor rules:

/usr/share/include/scl/ r,
/usr/share/include/scl/* r,
/usr/share/include/scl/** 	r,
/dev/kmsg r,
/proc/1/cgroup r,
/proc/uptime r,
/dev/tty12 rw,
/proc/*/loginuid r,
/proc/*/cmdline r,
/proc/*/sessionid r,

Comment 1 Michael Palimaka (kensington) gentoo-dev

2017-04-09 01:46:36 UTC

The profiles included with that package are as upstream ships them.

There's some effort to make Gentoo-specific profiles at https://github.com/gentoo/gentoo-apparmor-profiles but that's mostly a one-person show so far.

Comment 2 Toralf Förster gentoo-dev

2017-07-09 15:36:50 UTC

appeared recently at the tinderbox image 13.0_20170706-210712

Comment 3 Toralf Förster gentoo-dev

2017-07-09 15:36:53 UTC

Created attachment 482744 [details]
emerge-info.txt

Comment 4 Toralf Förster gentoo-dev

2017-07-09 15:36:56 UTC

Created attachment 482746 [details]
emerge-history.txt

Comment 5 Toralf Förster gentoo-dev

2017-07-09 15:36:59 UTC

Created attachment 482748 [details]
environment

Comment 6 Toralf Förster gentoo-dev

2017-07-09 15:37:03 UTC

Created attachment 482750 [details]
etc.portage.tbz2

Comment 7 Toralf Förster gentoo-dev

2017-07-09 15:37:06 UTC

Created attachment 482752 [details]
logs.tbz2

Comment 8 Toralf Förster gentoo-dev

2017-07-09 15:37:09 UTC

Created attachment 482754 [details]
sys-apps:apparmor-2.11.0:20170709-153203.log

Comment 9 Pacho Ramos gentoo-dev

2017-11-21 21:08:31 UTC

*** Bug 631506 has been marked as a duplicate of this bug. ***

Comment 10 Michael Palimaka (kensington) gentoo-dev

2019-04-04 10:53:13 UTC

The startup SCL failure should be fixed as the SCL installation path now matches the upstream AppArmor profile.

Regarding the other denys, I am hesitant to make any changes unless we can justify why each new allow is needed.

Please feel free to reopen this if things are not working as you expect.