Correct, SE Linux is not used on Ubuntu by default. However, you should check your AppArmour/aa logs. I don't know much about Ubuntu (it's been years since I've worked with Ubuntu, and even then only at a user level). But if it's anything like RHEL/derivatives, it's enabled and enforcing by default. If you had it turned off, or had custom profiles created to handle your fanvil.sh script, they may not have been transferred when you upgraded. (How did you upgrade, Ubuntu's version of LEAPP? Scratch build?)
The commands I gave previously, aa-status will tell you if AppArmour is installed. If you want the quick and dirty way to test if this is aa, run the following commands per https://ubuntu.com/server/docs/apparmor: systemctl stop apparmor systemctl disable apparmor Then restart rsyslog and see if it fails. If it doesn't fail, you've found your issue which can be remedied by fixing the profile (perferred), disabling the profile for syslog specifically (not ideal), or leaving appamour disabled permanently (last resort). Assuming you don't go with the last option ensure you restart and enable aa's service. Cheers, Mike [cid:4497d2ba-87a5-48f3-8fa2-73e078118259] Michael Redbourne (he/him) Senior Security Analyst Office: +1 (506) 606-0384 Cell: +61 04 2647 3071 SOC: 1-833-415-2424 www.bulletproofsi.com<http://www.bulletproofsi.com/> Book a Meeting<https://outlook.office365.com/owa/calendar/michaelredbou...@bulletproofsolutions.onmicrosoft.com/bookings/> [cid:2b1c88a7-a6ad-433d-97bb-e343807c9c0b] Notes: Please be advised that I live in Sydney, Australia. My normal hours are 8AM-5PM (Australia/Sydney). I allow 24-hour calendar bookings, but bookings made outside of official working hours should be discussed with me prior to booking. ________________________________ From: rsyslog <rsyslog-boun...@lists.adiscon.com> on behalf of Mårten Persson via rsyslog <rsyslog@lists.adiscon.com> Sent: Saturday, January 11, 2025 11:03 PM To: rsyslog@lists.adiscon.com <rsyslog@lists.adiscon.com> Cc: Mårten Persson <mar...@m-aero.se> Subject: Re: [rsyslog] omprog CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Sorry, forgot to mention the distro.... Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-51-generic x86_64) So, no selinux ass far as I know Regards /Mårten On Sat, 2025-01-11 at 11:15 +0100, Mårten Persson via rsyslog wrote: > Hello everybody, > > I updated my distro and after that omprog lacks rights... > The config and the scripts have been working flawlessly for a long > time > :-) > > The error message: > rsyslogd: omprog: failed to execute program > '/usr/local/bin/fanvil.sh': Permission denied > > The file with permissions: > -rwxr-xr-x 1 syslog adm 3458 Nov 8 22:18 fanvil.sh* > > And finally rsyslogd: > systemd+ 5552 0.0 0.0 154412 2900 ? Ssl Jan03 0:00 > /usr/sbin/rsyslogd > syslog 389972 0.0 0.0 235824 4980 ? Ssl Jan05 0:00 > rsyslogd > syslog 1678535 0.0 0.0 378668 5632 ? Ssl 05:51 0:00 > /usr/sbin/rsyslogd -n -iNONE > > SO user syslog runs rsyslogd, the file that omprog shuld execute is > owned by syslog with execute rights. > > What am I missing here ? > > Thank you for any help / pointers > > Mårten > > _______________________________________________ > rsyslog mailing list > https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C907322ea1a784bd11a4808dd32380331%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638721938391524988%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=ScFdOPOJaFWD0O4HwCLvB4XFTMOz5RbAZrxxeG3%2F7kE%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog> > https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C907322ea1a784bd11a4808dd32380331%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638721938391541800%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=%2BlYG0IXbM%2Fxs5MPPUpdzste%2BZdYwyfSfI65HfrvTUBw%3D&reserved=0<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow > https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C907322ea1a784bd11a4808dd32380331%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638721938391554129%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=L0BNnIvxAoR2sYNqdWQM0OMYNj%2ByHh5ce5ZLoWBYg9Q%3D&reserved=0<https://twitter.com/rgerhards> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C907322ea1a784bd11a4808dd32380331%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638721938391568853%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=0sSbjih6pI7TWx6xuGOkjElFijkIk5FeGRYq2FNZQ6A%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog> https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C907322ea1a784bd11a4808dd32380331%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638721938391580266%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=BMSUdZW98jJsqeC%2Fei4qpDuDiRvII4hdKVEInjCuEqY%3D&reserved=0<http://www.rsyslog.com/professional-services/> What's up with rsyslog? Follow https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C907322ea1a784bd11a4808dd32380331%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638721938391591549%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C80000%7C%7C%7C&sdata=f0jhyz5SwgH3%2BS9aVk1spdATg2eae%2BfKxsNAf6HIehE%3D&reserved=0<https://twitter.com/rgerhards> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ________________________________________ This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated. Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration. ________________________________________
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
