[Bug 1766600] [NEW] [bionic] apparmor denial for rsyslog modules in multiarch directory and pidfile

Tue, 24 Apr 2018 06:31:41 -0700 

Public bug reported:

With the new bionic upload, when the apparmor profile is enabled,
rsyslog fails to start (and cause upgrade issues) due to:

AVC apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/rsyslogd"
name="/usr/lib/x86_64-linux-gnu/rsyslog/lmnet.so" pid=19949
comm="rsyslogd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

The profile has this rule:

  /usr/lib{,32,64}/rsyslog/*.so mr,

but the new upload puts modules in /usr/lib/x86_64-linux-gnu/rsyslog so
this rule should be adjusted to:

  /usr/lib{,32,64}/{,@{multiarch}/}rsyslog/*.so mr,

Fixing that reveals this denial:

AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/rsyslogd"
name="/run/rsyslogd.pid.tmp" pid=2741 comm="rsyslogd" requested_mask="c"
denied_mask="c" fsuid=0 ouid=0

So we need to adjust this:

  /{,var/}run/rsyslogd.pid rwk,

to be:

  /{,var/}run/rsyslogd.pid{,.tmp} rwk,

** Affects: rsyslog (Ubuntu)
     Importance: High
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Description changed:

  With the new bionic upload, when the apparmor profile is enabled,
- rsyslog fails to start due to:
+ rsyslog fails to start (and cause upgrade issues) due to:
  
  AVC apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/rsyslogd"
  name="/usr/lib/x86_64-linux-gnu/rsyslog/lmnet.so" pid=19949
  comm="rsyslogd" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
  
  The profile has this rule:
  
-   /usr/lib{,32,64}/rsyslog/*.so mr,
+   /usr/lib{,32,64}/rsyslog/*.so mr,
  
  but the new upload puts modules in /usr/lib/x86_64-linux-gnu/rsyslog so
  this rule should be adjusted to:
  
-   /usr/lib{,32,64}/{,@multiarch/}rsyslog/*.so mr,
+   /usr/lib{,32,64}/{,@multiarch/}rsyslog/*.so mr,

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1766600

Title:
  [bionic] apparmor denial for rsyslog modules in multiarch directory
  and pidfile

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1766600/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to