[opensuse-factory] syslog-ng / apparmor issue
Per Jessen wrote:
/sbin/syslog-ng is a symlink to /usr/sbin/syslog-ng.
To get syslog-ng to run, I went through starting it, then running aa-genprof etc. It seemed the profile was non-existent. When I run "/usr/sbin/syslog-ng -F" from the command line, it doesn't pick up the sbin.syslog profile, does it?
I copied sbin.syslog-ng to usr.sbin.syslog-ng, then tried starting syslog-ng: # /sbin/syslog-ng -F Auto configuration failed 139651616061200:error:0200100D:system library:fopen:Permission denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb') 139651616061200:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:178: 139651616061200:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199: # aa-genprof /usr/sbin/syslog-ng /etc/apparmor.d/usr.sbin.syslog-ng contains no profile ??? -- Per Jessen, Zürich (11.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Oct 05, 2015 at 08:27:33AM +0200, Per Jessen wrote:
Per Jessen wrote:
/sbin/syslog-ng is a symlink to /usr/sbin/syslog-ng.
To get syslog-ng to run, I went through starting it, then running aa-genprof etc. It seemed the profile was non-existent. When I run "/usr/sbin/syslog-ng -F" from the command line, it doesn't pick up the sbin.syslog profile, does it?
I copied sbin.syslog-ng to usr.sbin.syslog-ng, then tried starting syslog-ng:
# /sbin/syslog-ng -F Auto configuration failed 139651616061200:error:0200100D:system library:fopen:Permission denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb') 139651616061200:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:178: 139651616061200:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
# aa-genprof /usr/sbin/syslog-ng
/etc/apparmor.d/usr.sbin.syslog-ng contains no profile
???
You notice perhaps that you use /usr/sbin instead of /sbin/ But then, you probably just want to run: logprof<return> CIao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Marcus Meissner wrote:
On Mon, Oct 05, 2015 at 08:27:33AM +0200, Per Jessen wrote:
Per Jessen wrote:
/sbin/syslog-ng is a symlink to /usr/sbin/syslog-ng.
To get syslog-ng to run, I went through starting it, then running aa-genprof etc. It seemed the profile was non-existent. When I run "/usr/sbin/syslog-ng -F" from the command line, it doesn't pick up the sbin.syslog profile, does it?
I copied sbin.syslog-ng to usr.sbin.syslog-ng, then tried starting syslog-ng:
# /sbin/syslog-ng -F Auto configuration failed 139651616061200:error:0200100D:system library:fopen:Permission denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb') 139651616061200:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:178: 139651616061200:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
# aa-genprof /usr/sbin/syslog-ng
/etc/apparmor.d/usr.sbin.syslog-ng contains no profile
???
You notice perhaps that you use /usr/sbin instead of /sbin/
Yes, I just use what the systemd unit uses too.
But then, you probably just want to run:
logprof<return>
I did try that too, it produces a lengthy list of changes to /usr/sbin/ntpd and some for /usr/sbin/syslog-ng http://files.jessen.ch/office34-logprof.txt Looking at the changes proposed for /usr/sbin/syslog-ng: --- /etc/apparmor.d/usr.sbin.ntpd 2015-10-04 00:16:23.000000000 +0200 +++ /tmp/tmpsr5a9xm7 2015-10-05 08:37:54.707820567 +0200 @@ -17,6 +17,8 @@ #include <abstractions/openssl> # #include <abstractions/xad> + #include <local/usr.sbin.ntpd> + capability dac_override, capability ipc_lock, capability net_bind_service, local/usr.sbin.ntpd is empty. -- Per Jessen, Zürich (11.7°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Per Jessen wrote:
Marcus Meissner wrote:
On Mon, Oct 05, 2015 at 08:27:33AM +0200, Per Jessen wrote:
Per Jessen wrote:
/sbin/syslog-ng is a symlink to /usr/sbin/syslog-ng.
To get syslog-ng to run, I went through starting it, then running aa-genprof etc. It seemed the profile was non-existent. When I run "/usr/sbin/syslog-ng -F" from the command line, it doesn't pick up the sbin.syslog profile, does it?
I copied sbin.syslog-ng to usr.sbin.syslog-ng, then tried starting syslog-ng:
# /sbin/syslog-ng -F Auto configuration failed 139651616061200:error:0200100D:system library:fopen:Permission denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb') 139651616061200:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:178: 139651616061200:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
# aa-genprof /usr/sbin/syslog-ng
/etc/apparmor.d/usr.sbin.syslog-ng contains no profile
???
You notice perhaps that you use /usr/sbin instead of /sbin/
Yes, I just use what the systemd unit uses too.
Sorry, I misread - yes, I used /sbin/syslog-ng, but that's only a symlink to /usr/sbin/syslog-ng. -- Per Jessen, Zürich (11.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Oct 05, 2015 at 08:42:22AM +0200, Per Jessen wrote:
Marcus Meissner wrote:
On Mon, Oct 05, 2015 at 08:27:33AM +0200, Per Jessen wrote:
Per Jessen wrote:
/sbin/syslog-ng is a symlink to /usr/sbin/syslog-ng.
To get syslog-ng to run, I went through starting it, then running aa-genprof etc. It seemed the profile was non-existent. When I run "/usr/sbin/syslog-ng -F" from the command line, it doesn't pick up the sbin.syslog profile, does it?
I copied sbin.syslog-ng to usr.sbin.syslog-ng, then tried starting syslog-ng:
# /sbin/syslog-ng -F Auto configuration failed 139651616061200:error:0200100D:system library:fopen:Permission denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb') 139651616061200:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:178: 139651616061200:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
# aa-genprof /usr/sbin/syslog-ng
/etc/apparmor.d/usr.sbin.syslog-ng contains no profile
???
You notice perhaps that you use /usr/sbin instead of /sbin/
Yes, I just use what the systemd unit uses too.
But then, you probably just want to run:
logprof<return>
I did try that too, it produces a lengthy list of changes to /usr/sbin/ntpd and some for /usr/sbin/syslog-ng
http://files.jessen.ch/office34-logprof.txt
Looking at the changes proposed for /usr/sbin/syslog-ng:
--- /etc/apparmor.d/usr.sbin.ntpd 2015-10-04 00:16:23.000000000 +0200 +++ /tmp/tmpsr5a9xm7 2015-10-05 08:37:54.707820567 +0200 @@ -17,6 +17,8 @@ #include <abstractions/openssl> # #include <abstractions/xad>
+ #include <local/usr.sbin.ntpd> + capability dac_override, capability ipc_lock, capability net_bind_service,
local/usr.sbin.ntpd is empty.
Adding #include <abstractions/openssl> and #include <abstractions/nameservice> for the syslog-ng profile would help. ALso open a bug for the other missing listed files I think. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Marcus Meissner wrote:
Looking at the changes proposed for /usr/sbin/syslog-ng:
--- /etc/apparmor.d/usr.sbin.ntpd 2015-10-04 00:16:23.000000000 +0200 +++ /tmp/tmpsr5a9xm7 2015-10-05 08:37:54.707820567 +0200 @@ -17,6 +17,8 @@ #include <abstractions/openssl> # #include <abstractions/xad>
+ #include <local/usr.sbin.ntpd> + capability dac_override, capability ipc_lock, capability net_bind_service,
local/usr.sbin.ntpd is empty.
Adding #include <abstractions/openssl> and #include <abstractions/nameservice> for the syslog-ng profile would help.
That one is already present: #include <abstractions/nameservice> I added #include <abstractions/openssl> and reloaded the profile with "apparmor_parser -r usr.sbin.syslog-ng". # /usr/sbin/syslog-ng -F Auto configuration failed 140010407282448:error:0200100D:system library:fopen:Permission denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb') 140010407282448:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:178: 140010407282448:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
ALso open a bug for the other missing listed files I think.
Will do. -- Per Jessen, Zürich (14.7°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Marcus Meissner -
Per Jessen