Mailinglist Archive: opensuse-factory (1324 mails)

< Previous Next >
Re: [opensuse-factory] Issues observed during installation of latest Leap
Hello,

Am Montag, 5. Oktober 2015 schrieb Per Jessen:
Christian Boltz wrote:
Am Sonntag, 4. Oktober 2015 schrieb Per Jessen:
c) syslog-ng apparmor profile

Non-existent?

/etc/apparmor.d/sbin.syslog-ng is in the apparmor-profiles package.
Is this package installed?

Yes, it is installed:

/sbin/syslog-ng is a symlink to /usr/sbin/syslog-ng.

To get syslog-ng to run, I went through starting it, then running
aa-genprof etc. It seemed the profile was non-existent. When I run
"/usr/sbin/syslog-ng -F" from the command line, it doesn't pick up the
sbin.syslog profile, does it?

The filenames in /etc/apparmor.d/ don't really matter - you could name a
profile file /etc/apparmor.d/whatever-i-want and AppArmor would still
only look at the content ;-) [1]

In the case of syslog-ng, the profile starts with
profile syslog-ng /{usr/,}sbin/syslog-ng {
which means the profile applies to both /sbin/syslog-ng and
/usr/sbin/syslog-ng. The "profile syslog-ng" part sets the profile name
which basically makes sure that it will appear with just "syslog-ng" in
the audit.log - but even if it would just be
/{usr/,}sbin/syslog-ng {
it would still apply to /sbin/syslog-ng and /usr/sbin/syslog-ng.

To answer the aa-genprof part - aa-genprof isn't smart enough to
check/find profiles that attach to multiple binaries (like {..,..}
alternations or wildcards) [2], so it didn't notice that
/{usr/,}sbin/syslog-ng is already there. Therefore aa-genprof created a
/usr/sbin/syslog-ng profile for you.

At least this explains why aa-genprof asked you for things that were
already allowed in the "official" profile - I already wondered what is
going on when reading your bugreport (#948753).

Note that you now have two more or less conflicting profiles loaded. I'd
guess that your /usr/sbin/syslog-ng profile is used because it's an
exact match, but that's probably not what you want. Therefore I'd
recommend to delete "your" profile, run "rcapparmor reload" and then
restart syslog-ng so that it uses the "official" profile.


Regards,

Christian Boltz

[1] there are exceptions - for example, *.rpmnew files are ignored for
obvious reasons

[2] I know there is room for improvement, but unfortunately my days only
have 24 hours ;-)
--
240 TB also... das wären dann die Konfigurationsdateien. Und die ganzen
"Nutzdaten"? MP3's? jpg's? Wo haben die Platz?
[Andreas Feile in suse-linux]

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups