Apparmor profile prevents rsyslog from chown'ing log files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rsyslog (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When enabling the Apparmor profile of rsyslog before the first boot (i.e.: post debootstrap) rsyslog is able to create the destination log files like /var/log/syslog but cannot chown them. Since rsyslog drops privileges after creating files, it can no longer write to them so the admin is left with no log.
Here is how to reproduce:
1) stop rsyslog
2) rm -f /etc/apparmor.
3) service apparmor reload
4) rm -f /var/log/syslog
5) start rsyslog
6) ls -l /var/log/syslog
Step 6 show those incorrect ownership and permissions:
# ls -l /var/log/syslog
-rw-r--r-- 1 root root 0 Jan 3 09:19 /var/log/syslog
But should show this instead:
# ls -l /var/log/syslog
-rw-r----- 1 syslog adm 622 Jan 3 09:23 /var/log/syslog
I think the proper solution would be to add the chown capability to rsyslog's Apparmor profile.
More info about the system:
# lsb_release -rd
Description: Ubuntu 12.04.3 LTS
Release: 12.04
# apt-cache policy rsyslog
rsyslog:
Installed: 5.8.6-1ubuntu8.6
Candidate: 5.8.6-1ubuntu8.6
Version table:
*** 5.8.6-1ubuntu8.6 0
500 http://
100 /var/lib/
5.8.6-1ubuntu8 0
500 http://
This bug does not affect Trusty. It is present in at least Precise and Saucy though.