| Summary: | sec-policy/apparmor-profiles - syslog-ng profile denies syslog-ng operations | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Angel Chinchilla <Angelerazo894> |
| Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
| Status: | UNCONFIRMED --- | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | AMD64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: |
emerge info
aa-status |
||
Created attachment 664144 [details]
aa-status
The profile itself is broken. Syslog-ng has its executable in /usr/sbin (equery -f syslog-ng | grep syslog-ng) while the profile is named (/etc/apparmor.d/)sbin.syslog-ng. Instead the profile (in /etc/apparmor.d) must be renamed to usr.sbin.syslog-ng. After that it also needs to be adjusted. To get out of this: 1. as root, in /etc/apparmor.d/, cp sbin.syslog-ng usr.sbin.syslog-ng 2. reload apparmor service, e.g. /etc/init.d/apparmor reload 3. let it settle for a while, still printing out errors/ warnings to /var/log/messages 4. run aa-genprof /usr/sbin/syslog-ng The last step will suggest some modifications of the existing profile. You can skip/ quit at any time. It will suggest some read-permissions and at least one additional write-permission depending on the syslog-ng-settings. (Basically it spills out on TTY12, too.) I can confirm that syslog-ng runs fine without any of the modifications mentioned here. But it spills the log with pointless warnings. (I assume syslog-ng's config is on purpose and writing log to TTY12 is intentional.) |
Created attachment 664141 [details] emerge info For the moment, i set syslog-ng profile in complain Oct 6 18:23:38 angel-latitude7350 kernel: audit: type=1400 audit(1602030218.244:552): apparmor="DENIED" operation="open" profile="syslog-ng" name="/proc/6286/cmdline" pid=3247 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Oct 6 18:23:38 angel-latitude7350 kernel: audit: type=1400 audit(1602030218.244:553): apparmor="DENIED" operation="open" profile="syslog-ng" name="/proc/6286/loginuid" pid=3247 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Oct 6 18:23:38 angel-latitude7350 kernel: audit: type=1400 audit(1602030218.244:554): apparmor="DENIED" operation="open" profile="syslog-ng" name="/proc/6286/sessionid" pid=3247 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid= 0 ouid=0 Oct 6 18:24:06 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)' Oct 6 18:24:06 angel-latitude7350 kernel: audit: type=1400 audit(1602030246.015:555): apparmor="DENIED" operation="open" profile="syslog-ng" name="/dev/tty12" pid=3247 comm="syslog-ng" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0 Oct 6 18:25:06 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)' Oct 6 18:25:06 angel-latitude7350 kernel: audit: type=1400 audit(1602030306.015:556): apparmor="DENIED" operation="open" profile="syslog-ng" name="/dev/tty12" pid=3247 comm="syslog-ng" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0 Oct 6 18:26:06 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)' Oct 6 18:26:06 angel-latitude7350 kernel: audit: type=1400 audit(1602030366.015:557): apparmor="DENIED" operation="open" profile="syslog-ng" name="/dev/tty12" pid=3247 comm="syslog-ng" requested_mask="ac" denied_mask="ac" fsuid=0 ouid=0 Oct 6 18:26:55 angel-latitude7350 syslog-ng[3247]: Error opening file for writing; filename='/dev/tty12', error='Permission denied (13)'