Mailinglist Archive: opensuse-factory (175 mails)
| < Previous | Next > |
[opensuse-factory] syslog-ng apparmor question
- From: Peter Czanik <pczanik@xxxxxxxxxxxxxx>
- Date: Wed, 29 Sep 2010 08:22:43 +0200
- Message-id: <4CA2DB33.8040502@xxxxxxxxxxxxxx>
Hello,
I'm trying to package syslog-ng 3.2-git, and ran into some troubles.
V3.2 has an interesting new feature, called SCL (system configuration
library), which tries to ease syslog-ng configuration. This works nicely
when apparmor is disabled.
SCL uses a script to generate part of the configuration. So, when
system(); is used in syslog-ng.conf, it actually calls a script, which
generates the missing parts based on the OS. In case of Linux, it's:
linux-6y8u:~ #
/usr/share/syslog-ng/include/scl/system/generate-system-source.sh
unix-dgram("/dev/log");
file("/proc/kmsg" program-override("kernel") flags(kernel));
When apparmor is enabled, this script is not run, instead I see
"permission denied" in the strace output.
Question: how should I modify /etc/apparmor.d/sbin.syslog-ng to be able
to run external scripts and/or applications. This is not only a problem
for SCL, but syslog-ng can use these both as log source and destination.
Once a solution is know, I'd put some comments in sbin.syslog-ng, so
users could extend the AppArmor ruleset easily instead of disabling it...
Bye,
--
Peter Czanik (CzP) <czanik@xxxxxxxxxx>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
I'm trying to package syslog-ng 3.2-git, and ran into some troubles.
V3.2 has an interesting new feature, called SCL (system configuration
library), which tries to ease syslog-ng configuration. This works nicely
when apparmor is disabled.
SCL uses a script to generate part of the configuration. So, when
system(); is used in syslog-ng.conf, it actually calls a script, which
generates the missing parts based on the OS. In case of Linux, it's:
linux-6y8u:~ #
/usr/share/syslog-ng/include/scl/system/generate-system-source.sh
unix-dgram("/dev/log");
file("/proc/kmsg" program-override("kernel") flags(kernel));
When apparmor is enabled, this script is not run, instead I see
"permission denied" in the strace output.
Question: how should I modify /etc/apparmor.d/sbin.syslog-ng to be able
to run external scripts and/or applications. This is not only a problem
for SCL, but syslog-ng can use these both as log source and destination.
Once a solution is know, I'd put some comments in sbin.syslog-ng, so
users could extend the AppArmor ruleset easily instead of disabling it...
Bye,
--
Peter Czanik (CzP) <czanik@xxxxxxxxxx>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |