Hello, On 09/29/2010 08:35 AM, Marcus Meissner wrote:
On Wed, Sep 29, 2010 at 08:22:43AM +0200, Peter Czanik wrote:
Hello,
I'm trying to package syslog-ng 3.2-git, and ran into some troubles. V3.2 has an interesting new feature, called SCL (system configuration library), which tries to ease syslog-ng configuration. This works nicely when apparmor is disabled.
SCL uses a script to generate part of the configuration. So, when system(); is used in syslog-ng.conf, it actually calls a script, which generates the missing parts based on the OS. In case of Linux, it's:
linux-6y8u:~ # /usr/share/syslog-ng/include/scl/system/generate-system-source.sh unix-dgram("/dev/log"); file("/proc/kmsg" program-override("kernel") flags(kernel));
When apparmor is enabled, this script is not run, instead I see "permission denied" in the strace output.
Question: how should I modify /etc/apparmor.d/sbin.syslog-ng to be able to run external scripts and/or applications. This is not only a problem for SCL, but syslog-ng can use these both as log source and destination.
Once a solution is know, I'd put some comments in sbin.syslog-ng, so users could extend the AppArmor ruleset easily instead of disabling it...
Run on a console (as root)
logprof
and follow the text dialog to adjust the profiles.
Well, it did not work out as expected. First I did some hand tuning, so
base syslog-ng and SCL without system(); works as expected:
--- sbin.syslog-ng.orig 2010-07-05 13:21:25.000000000 +0200
+++ sbin.syslog-ng 2010-09-29 10:09:51.001748203 +0200
@@ -36,9 +36,10 @@
/etc/hosts.deny r,
/etc/hosts.allow r,
/sbin/syslog-ng mr,
+ /usr/share/syslog-ng/** r,
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
- @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw,
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/var/run/syslog-ng.pid krw,
@{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
Then I changed syslog-ng to complain mode and started syslog-ng to
collect audit logs. Once ready, I ran logprof. I accepted all of its
modification suggestions and then wanted to test it. The first problem
was, that the generated config could not be loaded at all, as:
@{CHROOT_BASE} = ""
was rewritten to
@{CHROOT_BASE} = ,
which broke the config file.
Once I fixed it, reloaded apparmor, switched off "complain" mode, having
many new lines in the config, I was back to:
[pid 5104] execve("/bin/sh", ["sh", "-c",
"/usr/share/syslog-ng/include/scl"...], [/* 58 vars */]) = -1 EACCES
(Permission denied)
logprof made the following modifications:
--- sbin.syslog-ng 2010-09-29 10:09:51.001748203 +0200
+++ sbin.syslog-ng.logprof 2010-09-29 10:34:43.866747585 +0200
@@ -1,3 +1,4 @@
+# Last Modified: Wed Sep 29 10:21:46 2010
# $Id$
# ------------------------------------------------------------------
#
@@ -9,41 +10,53 @@
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
+#define this to be where syslog-ng is chrooted
-#include