Mailinglist Archive: opensuse-factory (1324 mails)

< Previous Next >
Re: [opensuse-factory] syslog-ng / apparmor issue
  • From: Per Jessen <per@xxxxxxxxxxxx>
  • Date: Mon, 05 Oct 2015 08:42:22 +0200
  • Message-id: <mut64c$532$1@saturn.local.net>
Marcus Meissner wrote:

On Mon, Oct 05, 2015 at 08:27:33AM +0200, Per Jessen wrote:
Per Jessen wrote:

/sbin/syslog-ng is a symlink to /usr/sbin/syslog-ng.

To get syslog-ng to run, I went through starting it, then running
aa-genprof etc.
It seemed the profile was non-existent. When I run
"/usr/sbin/syslog-ng -F" from the command line, it doesn't pick up
the sbin.syslog profile, does it?

I copied sbin.syslog-ng to usr.sbin.syslog-ng, then tried starting
syslog-ng:

# /sbin/syslog-ng -F
Auto configuration failed
139651616061200:error:0200100D:system library:fopen:Permission
denied:bss_file.c:173:fopen('/etc/ssl/openssl.cnf','rb')
139651616061200:error:2006D002:BIO routines:BIO_new_file:system
lib:bss_file.c:178:
139651616061200:error:0E078002:configuration file
routines:DEF_LOAD:system lib:conf_def.c:199:

# aa-genprof /usr/sbin/syslog-ng

/etc/apparmor.d/usr.sbin.syslog-ng contains no profile

???

You notice perhaps that you use /usr/sbin instead of /sbin/

Yes, I just use what the systemd unit uses too.

But then, you probably just want to run:

logprof<return>

I did try that too, it produces a lengthy list of changes
to /usr/sbin/ntpd and some for /usr/sbin/syslog-ng

http://files.jessen.ch/office34-logprof.txt

Looking at the changes proposed for /usr/sbin/syslog-ng:

--- /etc/apparmor.d/usr.sbin.ntpd 2015-10-04 00:16:23.000000000
+0200
+++ /tmp/tmpsr5a9xm7 2015-10-05 08:37:54.707820567 +0200
@@ -17,6 +17,8 @@
#include <abstractions/openssl>
# #include <abstractions/xad>

+ #include <local/usr.sbin.ntpd>
+
capability dac_override,
capability ipc_lock,
capability net_bind_service,


local/usr.sbin.ntpd is empty.



--
Per Jessen, Zürich (11.7°C)
http://www.dns24.ch/ - your free DNS host, made in Switzerland.

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >