Package: apparmor-profiles Version: 2.13.2-10 I've added the option "use_dns(yes);" and am allowing messages from the local network. With this small configuration adjustment in place, I see the kernel log getting severely spammed by AppArmor:
[######.######] audit: type=1400 audit(####################): apparmor="ALLOWED" operation="open" profile="syslog-ng" name="/proc/<misc-pid>/cmdline" pid=<syslog-ng-pid> comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [######.######] audit: type=1400 audit(####################): apparmor="ALLOWED" operation="open" profile="syslog-ng" name="/proc/<misc-pid>/loginuid" pid=<syslog-ng-pid> comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [######.######] audit: type=1400 audit(####################): apparmor="ALLOWED" operation="open" profile="syslog-ng" name="/proc/<misc-pid>/sessionid" pid=<syslog-ng-pid> comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I'm cautiously optimistic this is due to the AppArmor profile for syslog-ng being incomplete and not someone having broken into this machine and done something to syslog-ng. -- (\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/) \BS ( | [email protected] PGP 87145445 | ) / \_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/ 8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445
