[pkg-apparmor] Bug#962838: Apparmor profile for syslog-ng assumes trivial config
intrigeri
intrigeri at boum.org
Tue Jun 16 13:20:31 BST 2020
Control: severity -1 minor
Control: tag -1 + upstream
Hi,
Elliott Mitchell (2020-06-14):
> [######.######] audit: type=1400 audit(####################): apparmor="ALLOWED" operation="open" profile="syslog-ng" name="/proc/<misc-pid>/cmdline" pid=<syslog-ng-pid> comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> [######.######] audit: type=1400 audit(####################): apparmor="ALLOWED" operation="open" profile="syslog-ng" name="/proc/<misc-pid>/loginuid" pid=<syslog-ng-pid> comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> [######.######] audit: type=1400 audit(####################): apparmor="ALLOWED" operation="open" profile="syslog-ng" name="/proc/<misc-pid>/sessionid" pid=<syslog-ng-pid> comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
> I'm cautiously optimistic this is due to the AppArmor profile for
> syslog-ng being incomplete and not someone having broken into this
> machine and done something to syslog-ng.
It looks like it, indeed.
Please report upstream any problem with an AppArmor profile that is
included in the apparmor-profiles package:
https://gitlab.com/apparmor/apparmor/-/issues
The apparmor-profiles package exists solely to provide a way for users
to test these experimental profiles and help improve them upstream
if needed. Do not expect these profiles to work out-of-the-box.
More information about the pkg-apparmor-team
mailing list