bastille fails to set correct permissions for klogd.

Thanks for taking time to report this bug and help make Ubuntu better.

Did you generate a pidgin profile by hand ? Could you attach it to this bug ?

Do you see a lot of these messages ?

Here is my pidgin profile, though regardless of what application violates it's profile, none of the messages get logged properly. I used genprof to make the profile, and I get a violation every time I try to save or send files (which violates my profile)

JT

On Thu, Nov 01, 2007 at 01:10:28PM -0000, Jacob Torrey wrote:
> Here is my pidgin profile, though regardless of what application
> violates it's profile, none of the messages get logged properly. I used
> genprof to make the profile, and I get a violation every time I try to
> save or send files (which violates my profile)
>

Did you install the audit daemon ? Did you modify the syslog
configuration ?

--
Mathias

It was working when I first installed Gusty (Tribe 5), and recently has stopped, I haven't done any strange configuration, nor made any relevant system changes aside from updating my system.

On Thu, Nov 01, 2007 at 02:41:51PM -0000, Jacob Torrey wrote:
> It was working when I first installed Gusty (Tribe 5), and recently has
> stopped, I haven't done any strange configuration, nor made any relevant
> system changes aside from updating my system.

Did the problem appear after a kernel upgrade ?

I did indeed, hence the link to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/140508, but I wasn't sure if it was the same root cause. Either way, the fact that logprof doesn't work either should be added to the bug.

Did you reboot the system ?

ofcourse, it's a laptop, so it's up and down all the time

Well I can say that this isn't related to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/140508 as the problem there was a message format change and not the message being logged.

Since messages being sent to the kernel ring buffer (dmesg), we can infer that auditd isn't running. What happens if you rerun genprof on the program.

Also are other kernel messages getting logged in /var/log/messages? Could you attach your /etc/syslog.conf and
a tail of /var/log/messages?

If I re-run genprof, it calls logprof and I get (almost) nothing:

ranok@nebula:~$ sudo genprof /usr/bin/pidgin

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" button below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /usr/bin/pidgin

[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.

Profiling: /usr/bin/pidgin

[(S)can system log for SubDomain events] / (F)inish
FINISHING

Looking at my syslog.conf, it might be that Bastille is messing
something up, I'll try removing it and seeing if that fixes it.

tail /var/log/messages
Nov 1 13:50:22 localhost -- MARK --
Nov 1 14:10:22 localhost -- MARK --
Nov 1 14:10:47 localhost exiting on signal 15
Nov 1 15:07:58 localhost syslogd 1.4.1#21ubuntu3: restart.
Nov 1 15:08:21 localhost dhcdbd: Started up.
Nov 1 15:08:53 localhost gnome-power-manager: (ranok) Power Manager is
already running in this session.
Nov 1 15:13:29 localhost ranok: GenProf: 8d1fb148ac334a2ab38d647baa11795e
Nov 1 15:13:57 localhost ranok: GenProf: 811c44ade7f677853a091a006c24bf0a
Nov 1 15:15:35 localhost ranok: GenProf: 143964d75508277b830af8fae870e3dc
Nov 1 15:15:36 localhost ranok: GenProf: c2ab2a0e1b3022049b70c301f1df05af

If I don't run genprof, I normally see just the -- MARK -- and the stuff
from other daemons

JT

# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.

#
# First some standard logfiles. Log by facility.
#

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

#
# Some `catch-all' logfiles.
#
*.=debug;\
 auth,authpriv.none;\
 news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
 auth,authpriv.none;\
 cron,daemon.none;\
 mail,news.none -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg *

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
 news.err;\
 *.=debug;*.=info;\
 *.=notice;*.=warn |/dev/xconsole

####...

I commented out the stuff that BASTILLE added, and restarted syslogd, and I still get nothing.

could you take a look and verify the messages are showing up in /var/log/syslog and /var/log/kern.log

and could you also attach your /etc/apparmor/logprofi.conf

err sorry for the typo the config file is /etc/apparmor/logprof.conf

Here you go

# $Id: logprof.conf 981 2007-09-17 03:28:26Z DominicReynolds_ $
# ------------------------------------------------------------------
#
# Copyright (C) 2004-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

[settings]
  profiledir = /etc/apparmor.d /etc/subdomain.d
  inactive_profiledir = /usr/share/doc/apparmor-profiles/extras
  logfiles = /var/log/audit/audit.log /var/log/messages /var/log/syslog

  parser = /sbin/apparmor_parser /sbin/subdomain_parser
  ldd = /usr/bin/ldd
  logger = /bin/logger /usr/bin/logger

  # custom directory locations to look for #includes
  #
  # each name should be a valid directory containing possible #include
  # candidate files under the profile dir which by default is /etc/apparmor.d.
  #
  # So an entry of my-includes will allow /etc/apparmor.d/my-includes to
  # be used by the yast UI and profiling tools as a source of #include
  # files.
  custom_includes =

[repository]
  distro = ubuntu-gutsy
  url = http://apparmor.test.opensuse.org/backend/api
  preferred_user = ubuntu

[qualifiers]
  # things will be painfully broken if bash has a profile
  /bin/bash = iu
  /bin/ksh = iu

  # these programs can't function if they're confined
  /bin/mount = u
  /etc/init.d/subdomain = u
  /sbin/cardmgr = u
  /sbin/subdomain_parser = u
  /usr/sbin/genprof = u
  /usr/sbin/logprof = u
  /usr/lib/YaST2/servers_non_y2/ag_genprof = u
  /usr/lib/YaST2/servers_non_y2/ag_logprof = u

  # these ones shouln't have their own profiles
  /bin/awk = i
  /bin/cat = i
  /bin/chmod = i
  /bin/chown = i
  /bin/cp = i
  /bin/gawk = i
  /bin/grep = i
  /bin/gunzip = i
  /bin/gzip = i
  /bin/kill = i
  /bin/ln = i
  /bin/ls = i
  /bin/mkdir = i
  /bin/mv = i
  /bin/readlink = i
  /bin/rm = i
  /bin/sed = i
  /bin/touch = i
  /sbin/killall5 = i
  /usr/bin/find = i
  /usr/bin/killall = i
  /usr/bin/nice = i
  /usr/bin/perl = i
  /usr/bin/tr = i

[required_hats]
  ^.+/apache(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT
  ^.+/httpd(|2|2-prefork)$ = DEFAULT_URI HANDLING_UNTRUSTED_INPUT

[defaulthat]
  ^.+/apache(|2|2-prefork)$ = DEFAULT_URI
  ^.+/httpd(|2|2-prefork)$ = DEFAULT_URI

[globs]
  # /foo/bar/lib/libbaz.so -> /foo/bar/lib/lib*
  /lib/lib[^\/]+so[^\/]*$ = /lib/lib*so*

  # strip kernel version numbers from kernel module accesses
  ^/lib/modules/[^\/]+\/ = /lib/modules/*/

  # strip pid numbers from /proc accesses
  ^/proc/\d+/ = /proc/*/

  # if it looks like a home directory, glob out the username
  ^/home/[^\/]+ = /home/*

  # if they use any perl modules, grant access to all
  ^/usr/lib/perl5/.+$ = /usr/lib/perl5/**

  # locale foo
  ^/usr/lib/locale/.+$ = /usr/lib/locale/**
  ^/usr/share/locale/.+$ = /usr/share/locale/**

  # timezone fun
  ^/usr/share/zoneinfo/.+$ =...

Can you check and see if the genprof marks and kernel messages are going to /var/log/syslog and if they both are can you try editing your /etc/apparmor/logprof.conf

from
  logfiles = /var/log/audit/audit.log /var/log/messages /var/log/syslog
to
  logfiles = /var/log/syslog

If the above doesn't work could you include the output from the following command

ps aux | grep logd

The marks didn't seem to go to /var/log/syslog, heres the output of the
ps command:

ranok@nebula:~$ !p
ps aux | grep logd
root 5212 0.0 0.0 1836 516 ? S 15:07 0:00 /bin/dd
bs 1 if /proc/kmsg of /var/run/klogd/kmsg
syslog 7177 0.0 0.0 1916 740 ? Ss 15:22 0:00
/sbin/syslogd -u syslog
ranok 11309 0.0 0.0 2972 752 pts/1 R+ 22:15 0:00 grep logd
ranok@nebula:~$

Thanks a bunch for all your help,

    Jacob

On Fri, Nov 02, 2007 at 02:16:10AM -0000, Jacob Torrey wrote:
> The marks didn't seem to go to /var/log/syslog,

What do you mean by marks ? Are you refering to "GenProf:
8d1fb148ac334a2ab38d647baa11795e" or the profile violation ?

Sorry I was unclear,

GenProf: 8d1fb148ac334a2ab38d647baa11795e

was there, but the profile violations weren't

JT

Your ps output shows that klogd isn't running. This means none of the kernel messages will make it to syslog.

do "ps aux | grep logd" and kill the dd process and then run "/etc/init.d/klogd start", then rerun "ps aux | grep logd" to make sure klogd and syslogd are running. If they are try profiling something and see if the messages show up in any of the log file /var/log/messages, /var/log/syslog, /var/log/kern.log

This should fixes the problem temporarily but we still need to find out why your klogd is not starting or dying on boot.

That did it! Bastille must have made klogd not be able to run with the
proper permissions. Thanks you so much for your help guys.

I just gave /sbin/klogd 755 permissions

Jacob Torrey

Glad to hear it worked. My guess is that it happened because Ubuntu runs klogd under the klogd user instead of root.

Not an apparmor problem. Reassigning to bastille.

I just upgraded two Ubuntu 7.10 boxes to 8.0.4LTS; both upgrades were bitten by this problem.

I used the same config file for both. chmod'ing 755 /sbin/klogd did work around the problem though.

Anyways, as I've been bitten by this twice, I'm guessing that the status of 'invalid' is wrong.