[pkg-apparmor] Bug#973356: apparmor-profiles: complain on syslog-ng opening system.journal until re-enabling profile

Fri Oct 30 08:28:20 GMT 2020

It is exactly as you said: I didn't remember that following sshguard guide
I customized syslog-ng config and this caused that chain of calls. So I
need to customize syslog-ng profile too, if I want to enable it.
Thanks

Il giorno gio 29 ott 2020 alle ore 22:25 Christian Boltz <
debian-bugs at cboltz.de> ha scritto:

> Hello,
>
> Am Donnerstag, 29. Oktober 2020, 12:43:08 CET schrieb Lorenzo Iannuzzi:
> > apparmor="ALLOWED" operation="open" profile="syslog-
> > ng//null-/bin/dash//null-/usr/sbin/sshguard//null-/bin/journalctl"
>
> This is interesting[tm] - syslog-ng executed dash, which then executed
> sshguard, which executed journalctl.
>
> That looks like a funny way to read from the journal...
>
> > name="/run/log/journal/ccca544565cf1834599ef913deceef00/system.journal
> > " pid=6749 comm="journalctl" requested_mask="r" denied_mask="r"
> > fsuid=0 ouid=0
> >
> > I can see some rules from profile that should permit the access to
> > that file:
> >   /{var,var/run,run}/log/journal/ r,
> >   /{var,var/run,run}/log/journal/*/ r,
> >   /{var,var/run,run}/log/journal/*/*.journal r,
>
> Right, but there are no rules that allow to execute dash, sshguard and
> journalctl.
>
> > and if I disable and enable again the profile (with aa-disable and
> > aa-complain) log messages doesn't show anymore.
>
> aa-disable unloads the profile from the kernel, which also means that
> running processes become unconfined.
>
> aa-complain loads the profile again (in complain mode), but it can't
> apply it to running processes, so they stay unconfined (until you
> restart them).
>
> Note that this probably only affects the syslog-ng profile, not the
> processes running under the syslog-ng//null-* profiles.
>
> The better way is to use only aa-complain, which will switch the profile
> to complain mode and leave running processes confined.
>
> > Why those log are shown on boot, but disappear after I reload the
> > syslog-ng profile?
>
> See above, it's probably because you first unload the profile with aa-
> disable and then have syslog-ng running unconfined.
>
> Can you please check if there are processes running under a profile
> starting with "syslog-ng"? You can do this with
>     ps Zaux | grep ^syslog-ng
> Ideally check it before and after reloading the profiles.
> Also restart syslog-ng and check again.
>
> Also, do fresh log messages appear if you restart syslog-ng?
>
> Bonus question: Do you have a non-default syslog-ng config that could
> explain the exec chain I mentioned at the beginning?
>
>
> Regards,
>
> Christian Boltz
> --
> > Would it be ok to just switch all build sections to use lua?
> > Probably much faster than the shells anyway :-P
> Yast team has experience in converting strange languages to
> each other - they can cook something! :)
> [> Stefan Seyfried and Stephan Kulow in opensuse-factory]
>

-- 
Lorenzo Iannuzzi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20201030/2c1b968d/attachment-0003.html>