Yeah I have considered it as nice drive-by improvement unrelated to this bug -
and thanks for doing so.
I just had sorted out some lose ends on rsyslog and they both where part of it.
Since this didn't work last time it is not closed yet, but open at low prio.
As explained TBH I think we won't do it (this bug) as SRU a second time.
Oh yeah lets set Won't Fix to reflect that as well.
** Changed in: rsyslog (Ubuntu Bionic)
Status: In Progress => Won't Fix
** Changed in: rsyslog (Ubuntu Eoan)
Status: In Progress => Won't Fix
** Changed in: rsyslog (Ubuntu Disco)
Status: In Progress => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1827253
Title:
[apparmor] missing 'mr' on binary for usage on containers
Status in rsyslog package in Ubuntu:
Fix Released
Status in rsyslog source package in Bionic:
Won't Fix
Status in rsyslog source package in Disco:
Won't Fix
Status in rsyslog source package in Eoan:
Won't Fix
Bug description:
[Impact]
* rsyslog ships with a (Default disable) apparmor profile.
* Security sensitive users are in general encouraged to enable such
profiles but unfortunately due to slightly new behavior of the program
the profile prevents its usage.
* Allow the program to map/read its binary to get this working again
[Test Case]
1) Create a 'eoan' container called rs1 here:
lxc launch ubuntu-daily:e rs1
2) Enter the container
lxc shell rs1
3) Enable apparmor profile
rm /etc/apparmor.d/disable/usr.sbin.rsyslogd
apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd
systemctl restart rsyslog
4) notice rsyslog failed to start
systemctl status rsyslog
[Regression Potential]
* This is just opening up the apparmor profile a bit. Therefore the only
regression it could cause IMHO is a security issue. But then what it
actually allows is reading (not writing!) its own binary which should
be very safe.
* Thinking further it came to my mind that package updates (independent
to the change) might restart services and that means if there is any
issue e.g. in a local config that worked but now fails (not by this
change but in general) then the upgrade will not cause, but trigger
this. This is a general regression risk for any upload, but in this
case worth to mention as it is about log handling - which if broken -
makes large scale systems hard to debug.
[Other Info]
* n/a
---
Issue description:
Enabling the rsyslog (disabled by default) Apparmor profile causes
rsyslog to fail to start when running *inside a container*.
Steps to reproduce:
1) Create a 'eoan' container called rs1 here:
lxc launch ubuntu-daily:e rs1
2) Enter the container
lxc shell rs1
3) Enable apparmor profile
rm /etc/apparmor.d/disable/usr.sbin.rsyslogd
apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd
systemctl restart rsyslog
4) notice rsyslog failed to start
systemctl status rsyslog
Workaround:
echo ' /usr/sbin/rsyslogd mr,' >> /etc/apparmor.d/local/usr.sbin.rsyslogd
apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd
systemctl restart rsyslog
Additional information:
root@rs1:~# uname -a
Linux rs1 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64
x86_64 x86_64 GNU/Linux
root@rs1:~# lsb_release -rd
Description: Ubuntu Eoan EANIMAL (development branch)
Release: 19.10
root@rs1:~# dpkg -l| grep -wE 'apparmor|rsyslog'
ii apparmor 2.13.2-9ubuntu6 amd64 user-space parser utility for
AppArmor
ii rsyslog 8.32.0-1ubuntu7 amd64 reliable system and kernel logging
daemon
ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: rsyslog 8.32.0-1ubuntu7
ProcVersionSignature: Ubuntu 4.15.0-48.51-generic 4.15.18
Uname: Linux 4.15.0-48-generic x86_64
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
Date: Wed May 1 17:36:29 2019
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: rsyslog
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1827253/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
