On 9/17/21 7:57 AM, Michael Ströder wrote: > HI! > > I have the following ansible task for installing rsyslog config file: > > - name: "Generate rsyslog configuration" > template: > src: "rsyslog.conf.j2" > dest: "/etc/rsyslog.conf" > owner: root > group: root > mode: 0o0644 > validate: "/usr/sbin/rsyslogd -N 1 -f %s" > notify: > - "restart rsyslog" > > As you can see the argument "validate" invokes rsyslogd executable to > check the config *before* installing it to the final destination. > > This leads to violation of AppArmor profile > /etc/apparmor.d/usr.sbin.rsyslogd also applied when running this > executable only for config validation: > > type=AVC msg=audit(1631883703.061:3603): apparmor="DENIED" > operation="open" profile="/usr/sbin/rsyslogd" > name="/root/.ansible/tmp/ansible-tmp-1631883699.503673-9416-242746370879968/source" > pid=13760 comm="rsyslogd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > But I'd like to avoid adding rules to grant read access to > /root/.ansible/tmp/. > > Any idea how to disable the AppArmor profile only in case of this config > check? >
So I think all you need to do is create a secondary profile, lets call it rsyslogd-configcheck. Give it all the same rules as the rsyslogd profile and the extra rule to allow access to /root/.ansible/tmp/ Make sure the new profile is loaded. Now you can start rsyslogd using aa-exec to put it in the alternate profile aa-exec -p rsyslog-configcheck -- /usr/sbin/rsyslogd -N1 -f %s -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
