[pkg-apparmor] Bug#1030153: journald floods itself with apparmor warnings

Antoine Beaupre anarcat at debian.org
Tue Jan 31 16:58:05 GMT 2023 

Package: apparmor
Version: 3.0.8-2
Severity: important

I'm not sure where to lay the blame here, but I can't really use
journalctl since the bookworm upgrade here anymore.


anarcat at marcos:~$ journalctl -n 10| tail -10
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1041 at 3109a3dba85e4c67820c02b55f829e1e-000000000d34f9da-0005f3830e701d7e.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1046 at 52cb1b4160de4973b22b9d1e879ceafe-000000000d1c3822-0005f36d67b663da.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/system at c4b260b6361649e1819ca8a888938e1d-000000000d3d0d11-0005f391218d8df8.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1041 at 3109a3dba85e4c67820c02b55f829e1e-000000000d1c23b4-0005f36d51aba5d8.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1004 at a38efa23684347ef9b31acdaaf262dd8-000000000d2d8e5d-0005f37ebe1948bb.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1046.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1000 at 783a473ea10e4ba8b524e790c32932d9-000000000d379eb3-0005f389ebe36e8a.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1004 at a38efa23684347ef9b31acdaaf262dd8-000000000d24946f-0005f37de770b945.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/user-1000 at 783a473ea10e4ba8b524e790c32932d9-000000000d38d511-0005f38e27865a08.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jan 31 11:56:02 marcos audit[2208193]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/sshd//null-/usr/bin/bash//null-/usr/bin/screen//null-/usr/bin/bash//null-/usr/bin/journalctl" name="/var/log/journal/3840589866da411b178e07aa0000001d/system at c4b260b6361649e1819ca8a888938e1d-000000000d3a15fc-0005f390ce56bd38.journal" pid=2208193 comm="journalctl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I'm not sure it's journalctl that's at fault here, but I can't really
use it at all anymore. I am not sure either if it's journald triggering
this, or journalctl, but I regularly get this error in dmesg:

[jan31 11:53] systemd-journald[1071826]: Data hash table of /var/log/journal/3840589866da411b178e07aa0000001d/system.journal has a fill level at 75.0 (174765 of 233016 items, 67108864 file size, 383 bytes per hash table item), suggesting rotation.
[  +0,023450] systemd-journald[1071826]: /var/log/journal/3840589866da411b178e07aa0000001d/system.journal: Journal header limits reached or header out-of-date, rotating.

Anyone else seeing this? What's up with that "profile" line anyways?

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.82
ii  libc6                  2.36-8

apparmor recommends no packages.

Versions of packages apparmor suggests:
ii  apparmor-profiles-extra  1.35
ii  apparmor-utils           3.0.8-2

-- debconf information:
  apparmor/homedirs:

More information about the pkg-apparmor-team mailing list