[apparmor] missing 'mr' on binary for usage on containers

Bug #1827253 reported by Simon Déziel on 2019-05-01
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)
Undecided
Unassigned

Bug Description

Issue description:

Enabling the rsyslog (disabled by default) Apparmor profile causes rsyslog to fail to start when running *inside a container*.

Steps to reproduce:

1) Create a 'eoan' container called rs1 here:
  lxc launch ubuntu-daily:e rs1
2) Enter the container
  lxc shell rs1
3) Enable apparmor profile
  rm /etc/apparmor.d/disable/usr.sbin.rsyslogd
  apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd
  systemctl restart rsyslog
4) notice rsyslog failed to start
  systemctl status rsyslog

Workaround:

  echo ' /usr/sbin/rsyslogd mr,' >> /etc/apparmor.d/local/usr.sbin.rsyslogd
  apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd
  systemctl restart rsyslog

Additional information:

root@rs1:~# uname -a
Linux rs1 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@rs1:~# lsb_release -rd
Description: Ubuntu Eoan EANIMAL (development branch)
Release: 19.10
root@rs1:~# dpkg -l| grep -wE 'apparmor|rsyslog'
ii apparmor 2.13.2-9ubuntu6 amd64 user-space parser utility for AppArmor
ii rsyslog 8.32.0-1ubuntu7 amd64 reliable system and kernel logging daemon

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: rsyslog 8.32.0-1ubuntu7
ProcVersionSignature: Ubuntu 4.15.0-48.51-generic 4.15.18
Uname: Linux 4.15.0-48-generic x86_64
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
Date: Wed May 1 17:36:29 2019
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: rsyslog
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Simon Déziel (sdeziel) wrote :
tags: added: server-next
Changed in rsyslog (Ubuntu):
status: New → In Progress

This actually is a perfect bug:
- simple case
- solution on a silver plate
- only changing d/* content
- already ubuntu Delta

I feel bad that this hung around so log, but today I saw it and gave it a review.
This is building in Eoan now.

On 2019-07-03 10:47 a.m., Christian Ehrhardt  wrote:
> I feel bad that this hung around so log, but today I saw it and gave it a review.
> This is building in Eoan now.

No worries for the delay, I know where to find you if something more
critical is taking too long to my taste ;) Thank you Christian!

Regards,
Simon

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rsyslog - 8.1901.0-1ubuntu2

---------------
rsyslog (8.1901.0-1ubuntu2) eoan; urgency=medium

  [ Simon Deziel ]
  * d/usr.sbin.rsyslogd: allow reading/mmap'ing rsyslog binary
    This is required for usage inside containers (LP: #1827253)

 -- Christian Ehrhardt <email address hidden> Wed, 03 Jul 2019 16:34:41 +0200

Changed in rsyslog (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers