[opensuse-factory] apparmor problem
Hello, I'm planning to update syslog-ng to the latest beta release (3.3 final should be here real soon now). I checked the current syslog-ng in factory and ran into an interesting problem: linux-1wrf:/etc/apparmor.d # rcsyslog start Starting syslog servicesError opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)' Error initializing source driver; source='src', id='src#1' Error initializing message pipeline; startproc: exit status of parent of /sbin/syslog-ng: 2 failed linux-1wrf:/etc/apparmor.d # grep kmsg sbin.syslog-ng @{PROC}/kmsg r, It works fine when I disable AppArmor. Any hints why I get "Operation not permitted", when access to the file is actually allowed? Bye, CzP (from syslog-ng upstream) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, On 08/18/2011 10:25 AM, Sascha Peilicke wrote:
capability syslog, I just created https://bugzilla.novell.com/show_bug.cgi?id=712820 I did not test, but it might also affect other syslog implementations... Oh, and it's alredy there: linux-1wrf:/etc/apparmor.d # grep "capability syslog," * sbin.klogd: capability syslog, Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, on Donnerstag, 18. August 2011, Peter Czanik wrote:
For the records: /var/log/audit/audit.log will always provide hints ;-)
@CBoltz: Clearly a job for a battle-hardened AppArmorer ;-)
;-)
Yes, the good old syslogd also requires it (at least according to the AppArmor developers). I just commited the patch to add "capability syslog" to the syslog-ng and syslogd profiles upstream and also attached it to the bugreport. However, I'd prefer if we get AppArmor 2.7 beta into Factory. It will be released very soon (John Johansen is currently preparing it).
Yes, it was added by an openSUSE patch which I also commited upstream. That makes a total of 16 successfully upstreamed AppArmor patches (some of them in a modified/updated version) in the last two weeks :-) Regards, Christian Boltz -- :O h:, ich schmeiß mich weg. Wenn es das mit dem Quiz nicht ist, ist es dann so ein Pyramidenschema? Bekommt man eine Prämie, wenn man einen weiteren Newbie in sein Unglück lockt? [Thorsten Haude in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, On 08/18/2011 10:25 AM, Sascha Peilicke wrote:
capability syslog, I just created https://bugzilla.novell.com/show_bug.cgi?id=712820 I did not test, but it might also affect other syslog implementations... Oh, and it's alredy there: linux-1wrf:/etc/apparmor.d # grep "capability syslog," * sbin.klogd: capability syslog, Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, on Donnerstag, 18. August 2011, Peter Czanik wrote:
For the records: /var/log/audit/audit.log will always provide hints ;-)
@CBoltz: Clearly a job for a battle-hardened AppArmorer ;-)
;-)
Yes, the good old syslogd also requires it (at least according to the AppArmor developers). I just commited the patch to add "capability syslog" to the syslog-ng and syslogd profiles upstream and also attached it to the bugreport. However, I'd prefer if we get AppArmor 2.7 beta into Factory. It will be released very soon (John Johansen is currently preparing it).
Yes, it was added by an openSUSE patch which I also commited upstream. That makes a total of 16 successfully upstreamed AppArmor patches (some of them in a modified/updated version) in the last two weeks :-) Regards, Christian Boltz -- :O h:, ich schmeiß mich weg. Wenn es das mit dem Quiz nicht ist, ist es dann so ein Pyramidenschema? Bekommt man eine Prämie, wenn man einen weiteren Newbie in sein Unglück lockt? [Thorsten Haude in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (3)
-
Christian Boltz -
Peter Czanik -
Sascha Peilicke