kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #116521
[Bug 1425398] Re: Apparmor uses rsyslogd profile for different processes - utopic HWE
** Description changed:
- Hi.
+ [rsyslog impact]
+ This bug prevents rsyslog from receiving all events from other services on trusty when the utopic-hwe (and newer) kernels are used. The rsyslog SRU adds an additional permission (read access to /dev/log) to the rsyslog apparmor policy to allow this to work.
- I've noticed that apparmor loads /usr/sbin/rsyslogd profile for
- completely unrelated processes:
+ [rsyslog test case]
+ (1) Ensure the rsyslog apparmor policy is set to enforce; it should show up listed in the "XX profiles are in enforce mode." section reported by "sudo aa-status" (if it's disabled, do "sudo aa-enforce rsyslogd").
+
+ (2) Install the utopic or newer hwe enablement stack reboot into the
+ kernel. Using the logger(1) utility should generate log messages (e.g.
+ "logger foo") that are recorded in syslog; with this bug, they will be
+ blocked (grep DENIED /var/log/syslog).
+
+ [rsyslog regression potential]
+ The only change to rsyslog in the SRU is a slight loosening of the rsyslog apparmor policy. The risk of an introduced regression is small.
+
+ [rsyslog addition info]
+ The qa-regression-testing script is useful for verifying that rsyslog is still functioning properly (http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-rsyslog.py)
+
+
+ [Original description]
+ I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes:
Feb 25 08:36:19 emma kernel: [ 134.796218] audit: type=1400 audit(1424842579.429:245): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4002 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:36:23 emma kernel: [ 139.330989] audit: type=1400 audit(1424842583.965:246): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4080 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:35:42 emma kernel: [ 97.912402] audit: type=1400 audit(1424842542.565:241): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=2436 comm="whoopsie" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
Feb 25 08:34:43 emma kernel: [ 38.867998] audit: type=1400 audit(1424842483.546:226): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3762 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
-
- I'm not sure how apparmor decides which profile to use for which task, but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc.
-
+ I'm not sure how apparmor decides which profile to use for which task,
+ but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc.
I'm running:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# dpkg -l | grep apparmor
ii apparmor 2.8.95~2430-0ubuntu5.1 amd64 User-space parser utility for AppArmor
ii apparmor-profiles 2.8.95~2430-0ubuntu5.1 all Profiles for AppArmor Security policies
ii apparmor-utils 2.8.95~2430-0ubuntu5.1 amd64 Utilities for controlling AppArmor
ii libapparmor-perl 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Perl bindings
ii libapparmor1:amd64 2.8.95~2430-0ubuntu5.1 amd64 changehat AppArmor library
ii python3-apparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor Python3 utility library
ii python3-libapparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Python3 bindings
# uname -a
Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1425398
Title:
Apparmor uses rsyslogd profile for different processes - utopic HWE
Status in apparmor package in Ubuntu:
Invalid
Status in linux package in Ubuntu:
Confirmed
Status in linux-lts-utopic package in Ubuntu:
Invalid
Status in rsyslog package in Ubuntu:
Fix Released
Status in apparmor source package in Trusty:
In Progress
Status in linux source package in Trusty:
Confirmed
Status in linux-lts-utopic source package in Trusty:
Invalid
Status in rsyslog source package in Trusty:
Triaged
Bug description:
[rsyslog impact]
This bug prevents rsyslog from receiving all events from other services on trusty when the utopic-hwe (and newer) kernels are used. The rsyslog SRU adds an additional permission (read access to /dev/log) to the rsyslog apparmor policy to allow this to work.
[rsyslog test case]
(1) Ensure the rsyslog apparmor policy is set to enforce; it should show up listed in the "XX profiles are in enforce mode." section reported by "sudo aa-status" (if it's disabled, do "sudo aa-enforce rsyslogd").
(2) Install the utopic or newer hwe enablement stack reboot into the
kernel. Using the logger(1) utility should generate log messages (e.g.
"logger foo") that are recorded in syslog; with this bug, they will be
blocked (grep DENIED /var/log/syslog).
[rsyslog regression potential]
The only change to rsyslog in the SRU is a slight loosening of the rsyslog apparmor policy. The risk of an introduced regression is small.
[rsyslog addition info]
The qa-regression-testing script is useful for verifying that rsyslog is still functioning properly (http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-rsyslog.py)
[Original description]
I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes:
Feb 25 08:36:19 emma kernel: [ 134.796218] audit: type=1400 audit(1424842579.429:245): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4002 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:36:23 emma kernel: [ 139.330989] audit: type=1400 audit(1424842583.965:246): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4080 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:35:42 emma kernel: [ 97.912402] audit: type=1400 audit(1424842542.565:241): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=2436 comm="whoopsie" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
Feb 25 08:34:43 emma kernel: [ 38.867998] audit: type=1400 audit(1424842483.546:226): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3762 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I'm not sure how apparmor decides which profile to use for which task,
but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc.
I'm running:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# dpkg -l | grep apparmor
ii apparmor 2.8.95~2430-0ubuntu5.1 amd64 User-space parser utility for AppArmor
ii apparmor-profiles 2.8.95~2430-0ubuntu5.1 all Profiles for AppArmor Security policies
ii apparmor-utils 2.8.95~2430-0ubuntu5.1 amd64 Utilities for controlling AppArmor
ii libapparmor-perl 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Perl bindings
ii libapparmor1:amd64 2.8.95~2430-0ubuntu5.1 amd64 changehat AppArmor library
ii python3-apparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor Python3 utility library
ii python3-libapparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Python3 bindings
# uname -a
Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1425398/+subscriptions