[pkg-apparmor] Bug#973356: apparmor-profiles: complain on syslog-ng opening system.journal until re-enabling profile

Thu Oct 29 21:25:02 GMT 2020

Hello,

Am Donnerstag, 29. Oktober 2020, 12:43:08 CET schrieb Lorenzo Iannuzzi:
> apparmor="ALLOWED" operation="open" profile="syslog-
> ng//null-/bin/dash//null-/usr/sbin/sshguard//null-/bin/journalctl"

This is interesting[tm] - syslog-ng executed dash, which then executed 
sshguard, which executed journalctl.

That looks like a funny way to read from the journal...

> name="/run/log/journal/ccca544565cf1834599ef913deceef00/system.journal
> " pid=6749 comm="journalctl" requested_mask="r" denied_mask="r"
> fsuid=0 ouid=0
> 
> I can see some rules from profile that should permit the access to
> that file:
>   /{var,var/run,run}/log/journal/ r,
>   /{var,var/run,run}/log/journal/*/ r,
>   /{var,var/run,run}/log/journal/*/*.journal r,

Right, but there are no rules that allow to execute dash, sshguard and 
journalctl.

> and if I disable and enable again the profile (with aa-disable and
> aa-complain) log messages doesn't show anymore.

aa-disable unloads the profile from the kernel, which also means that 
running processes become unconfined.

aa-complain loads the profile again (in complain mode), but it can't 
apply it to running processes, so they stay unconfined (until you 
restart them).

Note that this probably only affects the syslog-ng profile, not the 
processes running under the syslog-ng//null-* profiles.

The better way is to use only aa-complain, which will switch the profile 
to complain mode and leave running processes confined.

> Why those log are shown on boot, but disappear after I reload the
> syslog-ng profile?

See above, it's probably because you first unload the profile with aa-
disable and then have syslog-ng running unconfined.

Can you please check if there are processes running under a profile 
starting with "syslog-ng"? You can do this with
    ps Zaux | grep ^syslog-ng
Ideally check it before and after reloading the profiles.
Also restart syslog-ng and check again.

Also, do fresh log messages appear if you restart syslog-ng?

Bonus question: Do you have a non-default syslog-ng config that could 
explain the exec chain I mentioned at the beginning?

Regards,

Christian Boltz
-- 
> Would it be ok to just switch all build sections to use lua?
> Probably much faster than the shells anyway :-P
Yast team has experience in converting strange languages to
each other - they can cook something! :)
[> Stefan Seyfried and Stephan Kulow in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20201029/ecb4a29e/attachment-0001.sig>