Ubuntu
rsyslog package

[bionic] apparmor denial for rsyslog modules in multiarch directory and pidfile

Bug #1766600 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

With the new bionic upload, when the apparmor profile is enabled, rsyslog fails to start (and causes upgrade issues) due to:

AVC apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/rsyslogd" name="/usr/lib/x86_64-linux-gnu/rsyslog/lmnet.so" pid=19949 comm="rsyslogd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

The profile has this rule:

  /usr/lib{,32,64}/rsyslog/*.so mr,

but the new upload puts modules in /usr/lib/x86_64-linux-gnu/rsyslog so this rule should be adjusted to:

  /usr/lib{,32,64}/{,@{multiarch}/}rsyslog/*.so mr,

Fixing that reveals this denial:

AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/rsyslogd" name="/run/rsyslogd.pid.tmp" pid=2741 comm="rsyslogd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

So we need to adjust this:

  /{,var/}run/rsyslogd.pid rwk,

to be:

  /{,var/}run/rsyslogd.pid{,.tmp} rwk,

See original description
Tags: apparmor
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
summary: - [bionic] apparmor denial for rsyslog modules in multiarch directory
+ [bionic] apparmor denial for rsyslog modules in multiarch directory and
+ pidfile
Jamie Strandboge (jdstrand)
description: updated
tags: added: apparmor
Jamie Strandboge (jdstrand)
Changed in rsyslog (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rsyslog - 8.32.0-1ubuntu4

---------------
rsyslog (8.32.0-1ubuntu4) bionic; urgency=medium

  [ Jamie Strandboge ]
  * debian/usr.sbin.rsyslogd: updates for bionic (LP: #1766600)
    - allow rsyslog modules in multiarch directories
    - allow writing temporary pidfile

  [ Dimitri John Ledkov ]
  * Tolerate installing rsyslog, on systems without systemd installed. LP:
    #1766574

 -- Dimitri John Ledkov <email address hidden> Tue, 24 Apr 2018 15:47:41 +0100

Changed in rsyslog (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.