[opensuse-factory] syslog-ng apparmor question
Hello, I'm trying to package syslog-ng 3.2-git, and ran into some troubles. V3.2 has an interesting new feature, called SCL (system configuration library), which tries to ease syslog-ng configuration. This works nicely when apparmor is disabled. SCL uses a script to generate part of the configuration. So, when system(); is used in syslog-ng.conf, it actually calls a script, which generates the missing parts based on the OS. In case of Linux, it's: linux-6y8u:~ # /usr/share/syslog-ng/include/scl/system/generate-system-source.sh unix-dgram("/dev/log"); file("/proc/kmsg" program-override("kernel") flags(kernel)); When apparmor is enabled, this script is not run, instead I see "permission denied" in the strace output. Question: how should I modify /etc/apparmor.d/sbin.syslog-ng to be able to run external scripts and/or applications. This is not only a problem for SCL, but syslog-ng can use these both as log source and destination. Once a solution is know, I'd put some comments in sbin.syslog-ng, so users could extend the AppArmor ruleset easily instead of disabling it... Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wed, Sep 29, 2010 at 08:22:43AM +0200, Peter Czanik wrote:
Hello,
I'm trying to package syslog-ng 3.2-git, and ran into some troubles. V3.2 has an interesting new feature, called SCL (system configuration library), which tries to ease syslog-ng configuration. This works nicely when apparmor is disabled.
SCL uses a script to generate part of the configuration. So, when system(); is used in syslog-ng.conf, it actually calls a script, which generates the missing parts based on the OS. In case of Linux, it's:
linux-6y8u:~ # /usr/share/syslog-ng/include/scl/system/generate-system-source.sh unix-dgram("/dev/log"); file("/proc/kmsg" program-override("kernel") flags(kernel));
When apparmor is enabled, this script is not run, instead I see "permission denied" in the strace output.
Question: how should I modify /etc/apparmor.d/sbin.syslog-ng to be able to run external scripts and/or applications. This is not only a problem for SCL, but syslog-ng can use these both as log source and destination.
Once a solution is know, I'd put some comments in sbin.syslog-ng, so users could extend the AppArmor ruleset easily instead of disabling it...
Run on a console (as root) logprof and follow the text dialog to adjust the profiles. Ciao, Marcs -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, On 09/29/2010 08:35 AM, Marcus Meissner wrote:
On Wed, Sep 29, 2010 at 08:22:43AM +0200, Peter Czanik wrote:
Hello,
I'm trying to package syslog-ng 3.2-git, and ran into some troubles. V3.2 has an interesting new feature, called SCL (system configuration library), which tries to ease syslog-ng configuration. This works nicely when apparmor is disabled.
SCL uses a script to generate part of the configuration. So, when system(); is used in syslog-ng.conf, it actually calls a script, which generates the missing parts based on the OS. In case of Linux, it's:
linux-6y8u:~ # /usr/share/syslog-ng/include/scl/system/generate-system-source.sh unix-dgram("/dev/log"); file("/proc/kmsg" program-override("kernel") flags(kernel));
When apparmor is enabled, this script is not run, instead I see "permission denied" in the strace output.
Question: how should I modify /etc/apparmor.d/sbin.syslog-ng to be able to run external scripts and/or applications. This is not only a problem for SCL, but syslog-ng can use these both as log source and destination.
Once a solution is know, I'd put some comments in sbin.syslog-ng, so users could extend the AppArmor ruleset easily instead of disabling it...
Run on a console (as root)
logprof
and follow the text dialog to adjust the profiles.
Well, it did not work out as expected. First I did some hand tuning, so base syslog-ng and SCL without system(); works as expected: --- sbin.syslog-ng.orig 2010-07-05 13:21:25.000000000 +0200 +++ sbin.syslog-ng 2010-09-29 10:09:51.001748203 +0200 @@ -36,9 +36,10 @@ /etc/hosts.deny r, /etc/hosts.allow r, /sbin/syslog-ng mr, + /usr/share/syslog-ng/** r, # chrooted applications @{CHROOT_BASE}/var/lib/*/dev/log w, - @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw, + @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw, @{CHROOT_BASE}/var/log/** w, @{CHROOT_BASE}/var/run/syslog-ng.pid krw, @{CHROOT_BASE}/var/run/syslog-ng.ctl rw, Then I changed syslog-ng to complain mode and started syslog-ng to collect audit logs. Once ready, I ran logprof. I accepted all of its modification suggestions and then wanted to test it. The first problem was, that the generated config could not be loaded at all, as: @{CHROOT_BASE} = "" was rewritten to @{CHROOT_BASE} = , which broke the config file. Once I fixed it, reloaded apparmor, switched off "complain" mode, having many new lines in the config, I was back to: [pid 5104] execve("/bin/sh", ["sh", "-c", "/usr/share/syslog-ng/include/scl"...], [/* 58 vars */]) = -1 EACCES (Permission denied) logprof made the following modifications: --- sbin.syslog-ng 2010-09-29 10:09:51.001748203 +0200 +++ sbin.syslog-ng.logprof 2010-09-29 10:34:43.866747585 +0200 @@ -1,3 +1,4 @@ +# Last Modified: Wed Sep 29 10:21:46 2010 # $Id$ # ------------------------------------------------------------------ # @@ -9,41 +10,53 @@ # License published by the Free Software Foundation. # # ------------------------------------------------------------------ +#define this to be where syslog-ng is chrooted -#include <tunables/global> +@{CHROOT_BASE} = "" -#define this to be where syslog-ng is chrooted -@{CHROOT_BASE}="" +#include <tunables/global> /sbin/syslog-ng { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> + capability chown, capability dac_override, - capability fsetid, capability fowner, - capability sys_tty_config, + capability fsetid, + capability sys_admin, capability sys_resource, + capability sys_tty_config, + /dev/log w, /dev/syslog w, /dev/tty10 rw, /dev/xconsole rw, - /etc/syslog-ng/* r, - @{PROC}/kmsg r, - /etc/hosts.deny r, /etc/hosts.allow r, + /etc/hosts.deny r, + /etc/syslog-ng/* r, /sbin/syslog-ng mr, /usr/share/syslog-ng/** r, - # chrooted applications + /var/run/syslog-ng/additional-log-sockets.conf r, @{CHROOT_BASE}/var/lib/*/dev/log w, @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw, @{CHROOT_BASE}/var/log/** w, - @{CHROOT_BASE}/var/run/syslog-ng.pid krw, @{CHROOT_BASE}/var/run/syslog-ng.ctl rw, - /var/run/syslog-ng/additional-log-sockets.conf r, + @{CHROOT_BASE}/var/run/syslog-ng.pid rwk, + @{PROC}/kmsg r, -} + ^null-36 { + + owner /dev/tty rw, + owner /etc/ld.so.cache r, + owner /lib/lib*so* mr, + owner /proc/meminfo r, + owner /tmp/sh-thd-1285722559 rw, + owner /usr/share/syslog-ng/include/scl/system/generate-system-source.sh r, + + } +} My syslog-ng 3.2 package is available at https://build.opensuse.org/package/show?package=syslog-ng32&project=home%3Aczanik%3Asyslog-ng32 The problem can be triggered by adding system(); to source src in /etc/syslog-ng/syslog-ng.conf and commenting out unix-dgram. Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, sorry for answering that late - I didn't have the time to read the factory list since some time :-/ on Mittwoch, 29. September 2010, Peter Czanik wrote: [AppArmor profile updated by logprof]
Well, it did not work out as expected. First I did some hand tuning, so base syslog-ng and SCL without system(); works as expected:
logprof made the following modifications: [...] + ^null-36 { + owner /dev/tty rw, + owner /etc/ld.so.cache r, + owner /lib/lib*so* mr,
Looks like the (in 11.2 and 11.3) well-known problem that the AppArmor utils don't fully understand the changed log format. The main problem is that it doesn't understand execute events and then creates funny null-xy hats... The above should have been some type of *x (execute) permission, and maybe a child profile (or an external profile) for the program that is executed. The date of your mail is very near to the initial commit date of the AppArmor 2.5 package, so you probably had the ancient package when updating the profile. Please try again (with the latest AppArmor package) and if you don't get a working profile, force someone to fix https://bugzilla.novell.com/show_bug.cgi?id=546618 ;-) (and/or find someone to fix it for 11.2 and 11.3 *g*) Regards, Christian Boltz -- [Fontlinge] Nun zunächst mal kann Bill seine Fonts per Hand sortieren, Bätsch. Und er muß Millionen trauriger Menschen erklären, wieso das unter Linux geht und unter Windows nicht. Und dann kaufen alle Leute Linux-Distris, und Bill geht pleite und muß hungern, und ich reite in den Sonnenuntergang. [Ratti in suse-programming] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, On 11/19/2010 01:30 AM, Christian Boltz wrote:
The date of your mail is very near to the initial commit date of the AppArmor 2.5 package, so you probably had the ancient package when updating the profile.
Factory still has AppArmor 2.3: linux-ym5q:~ # rpm -qa | grep -i appar libapparmor1-2.3-62.5.x86_64 apparmor-parser-2.3.1-23.18.x86_64 patterns-openSUSE-apparmor-11.3-30.1.x86_64 apparmor-docs-2.3.1-23.27.noarch perl-libapparmor-2.3-62.5.x86_64 apparmor-utils-2.3.1-21.8.noarch apparmor-profiles-2.3-58.7.noarch pam_apparmor-2.3-59.3.x86_64 yast2-apparmor-2.20.0-1.2.noarch patterns-openSUSE-apparmor_opt-11.3-30.1.x86_64 Is it worth to try it again, or it is still a broken version? Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, on Freitag, 19. November 2010, Peter Czanik wrote:
On 11/19/2010 01:30 AM, Christian Boltz wrote:
The date of your mail is very near to the initial commit date of the AppArmor 2.5 package, so you probably had the ancient package when updating the profile.
Factory still has AppArmor 2.3:
:-(
Is it worth to try it again, or it is still a broken version?
As long as it is 2.3, it is most probably still broken. Better invest your time by forcing the maintainers of security:apparmor (which has 2.5.1) to push the packages to Factory ;-) And/or install the packages from security:apparmor and test if they work. Regards, Christian Boltz -- No trees were killed in the sending of this message. However a large number of electrons were terribly inconvenienced. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, On 11/19/2010 02:15 PM, Christian Boltz wrote:
Is it worth to try it again, or it is still a broken version?
As long as it is 2.3, it is most probably still broken.
Better invest your time by forcing the maintainers of security:apparmor (which has 2.5.1) to push the packages to Factory ;-)
Jeff is working on a new AppArmor package, I hope it hits Factory soon. I already sent my sr against that for syslog-ng 3.2 related profile fixes. I can't submit syslog-ng 3.2 until it is in... Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 11/19/2010 08:39 AM, Peter Czanik wrote:
Hello,
On 11/19/2010 02:15 PM, Christian Boltz wrote:
Is it worth to try it again, or it is still a broken version?
As long as it is 2.3, it is most probably still broken.
Better invest your time by forcing the maintainers of security:apparmor (which has 2.5.1) to push the packages to Factory ;-)
Jeff is working on a new AppArmor package, I hope it hits Factory soon. I already sent my sr against that for syslog-ng 3.2 related profile fixes. I can't submit syslog-ng 3.2 until it is in... Bye, CzP
Yep, I'm planning on submitting that today. For testing, my work-in-progress has been committed to security:apparmor:factory. -Jeff -- Jeff Mahoney SuSE Labs -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, on Freitag, 19. November 2010, Jeff Mahoney wrote:
On 11/19/2010 08:39 AM, Peter Czanik wrote:
Jeff is working on a new AppArmor package, I hope it hits Factory soon. I already sent my sr against that for syslog-ng 3.2 related profile fixes. I can't submit syslog-ng 3.2 until it is in... Bye, CzP
Yep, I'm planning on submitting that today. For testing, my work-in-progress has been committed to security:apparmor:factory.
Good to know :-) Another question: what about the older distributions? Can I upgrade apparmor-utils to 2.5.1 there (while keeping AppArmor 2.3) to have working utils again - or will this break totally? Regards, Christian Boltz -- Rück' mal ein paar Infos über Dein System raus, Glaskugeln sind rar und der Hexenladen um die Ecke kann sie einfach nicht beschaffen! [Helga Fischer in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (4)
-
Christian Boltz -
Jeff Mahoney -
Marcus Meissner -
Peter Czanik