It is exactly as you said: I didn't remember that following sshguard guide I customized syslog-ng config and this caused that chain of calls. So I need to customize syslog-ng profile too, if I want to enable it. Thanks
Il giorno gio 29 ott 2020 alle ore 22:25 Christian Boltz < [email protected]> ha scritto: > Hello, > > Am Donnerstag, 29. Oktober 2020, 12:43:08 CET schrieb Lorenzo Iannuzzi: > > apparmor="ALLOWED" operation="open" profile="syslog- > > ng//null-/bin/dash//null-/usr/sbin/sshguard//null-/bin/journalctl" > > This is interesting[tm] - syslog-ng executed dash, which then executed > sshguard, which executed journalctl. > > That looks like a funny way to read from the journal... > > > name="/run/log/journal/ccca544565cf1834599ef913deceef00/system.journal > > " pid=6749 comm="journalctl" requested_mask="r" denied_mask="r" > > fsuid=0 ouid=0 > > > > I can see some rules from profile that should permit the access to > > that file: > > /{var,var/run,run}/log/journal/ r, > > /{var,var/run,run}/log/journal/*/ r, > > /{var,var/run,run}/log/journal/*/*.journal r, > > Right, but there are no rules that allow to execute dash, sshguard and > journalctl. > > > and if I disable and enable again the profile (with aa-disable and > > aa-complain) log messages doesn't show anymore. > > aa-disable unloads the profile from the kernel, which also means that > running processes become unconfined. > > aa-complain loads the profile again (in complain mode), but it can't > apply it to running processes, so they stay unconfined (until you > restart them). > > Note that this probably only affects the syslog-ng profile, not the > processes running under the syslog-ng//null-* profiles. > > The better way is to use only aa-complain, which will switch the profile > to complain mode and leave running processes confined. > > > Why those log are shown on boot, but disappear after I reload the > > syslog-ng profile? > > See above, it's probably because you first unload the profile with aa- > disable and then have syslog-ng running unconfined. > > Can you please check if there are processes running under a profile > starting with "syslog-ng"? You can do this with > ps Zaux | grep ^syslog-ng > Ideally check it before and after reloading the profiles. > Also restart syslog-ng and check again. > > Also, do fresh log messages appear if you restart syslog-ng? > > Bonus question: Do you have a non-default syslog-ng config that could > explain the exec chain I mentioned at the beginning? > > > Regards, > > Christian Boltz > -- > > Would it be ok to just switch all build sections to use lua? > > Probably much faster than the shells anyway :-P > Yast team has experience in converting strange languages to > each other - they can cook something! :) > [> Stefan Seyfried and Stephan Kulow in opensuse-factory] > -- Lorenzo Iannuzzi

