Ubuntu
rsyslog package

apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/"

Bug #2056768 reported by Martin Pitt
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)
Fix Released
Undecided
Andreas Hasenack
Noble
Confirmed
Undecided
Unassigned

Bug Description

There is an AppArmor regression in current noble. In cockpit we recently started to test on noble (to prevent the "major regressions after release" fiasco from 23.10 again).

For some weird reason, rsyslog is installed *by default* [1] in the cloud images. That is a rather pointless waste of CPU and disk space, as it's an unnecessary running daemon and duplicates all the written logs.

But more specifically, we noticed [2] an AppArmor rejection. Reproducer is simple:

    logger -p user.emerg --tag check-journal EMERGENCY_MESSAGE

this causes

    type=1400 audit(1710168739.345:108): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/" pid=714 comm=72733A6D61696E20513A526567 requested_mask="r" denied_mask="r" fsuid=102 ouid=0

Note that it doesn't actually fail, the "EMERGENCY_MESSAGE" does appear in the journal and also in /var/log/syslog. But it's some noise that triggers our (and presumbly other admin's) log detectors.

rsyslog 8.2312.0-3ubuntu3
apparmor 4.0.0~alpha4-0ubuntu1

[1] https://cloud-images.ubuntu.com/daily/server/noble/current/noble-server-cloudimg-amd64.manifest
[2] https://cockpit-logs.us-east-1.linodeobjects.com/pull-6048-20240311-125838-b465e9b2-ubuntu-stable-other-cockpit-project-cockpit/log.html#118

Related branches

~ahasenack/ubuntu/+source/rsyslog:oracular-rsyslog-apparmor-2056768
git-ubuntu bot: Approve
Sergio Durigan Junior (community): Approve
Simon Déziel (community): Approve
Canonical Server Reporter: Pending requested
Diff: 30 lines (+12/-0)
2 files modified
debian/changelog (+7/-0)
debian/usr.sbin.rsyslogd (+5/-0)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rsyslog (Ubuntu):
status: New → Confirmed
Revision history for this message
Jarno P (jarno-p) wrote :

I confirm having the same issue on a baremetal x86_amd64 server running Ubuntu 24.04 LTS (automatic updates on).

syslog gets occasional line pairs like this:

```
2024-08-16T13:25:25.532537+03:00 hostname kernel: __common_interrupt: 5.36 No irq handler for vector
2024-08-16T13:25:25.542460+03:00 hostname kernel: audit: type=1400 audit(1723803925.541:163): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/" pid=2705 comm=72733A6D61696E20513A526567 requested_mask="r" denied_mask="r" fsuid=101 ouid=0

...

2024-08-17T05:52:58.123033+03:00 hostname kernel: __common_interrupt: 3.36 No irq handler for vector
2024-08-17T05:52:58.128463+03:00 hostname kernel: audit: type=1400 audit(1723863178.125:165): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/" pid=2705 comm=72733A6D61696E20513A526567 requested_mask="r" denied_mask="r" fsuid=101 ouid=0

...

2024-08-19T11:47:28.122187+03:00 hostname kernel: __common_interrupt: 5.37 No irq handler for vector
2024-08-19T11:47:28.126460+03:00 hostname kernel: audit: type=1400 audit(1724057248.124:169): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/" pid=2705 comm=72733A6D61696E20513A526567 requested_mask="r" denied_mask="r" fsuid=101 ouid=0

```

The "No irq handler for vector" occurs before every apparmor=DENIED (rsyslog) line, and only then.

## Versions

Package: rsyslog
Architecture: amd64
Version: 8.2312.0-3ubuntu9

Package: apparmor
Architecture: amd64
Version: 4.0.0-beta3-0ubuntu3

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

And once allowing reading the directory, the contents should also be allowed:

[Sun Sep 1 16:00:46 2024] audit: type=1400 audit(1724157515.788:5238): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/run/systemd/sessions/2" pid=1873 comm=72733A6D61696E20513A526567 requested_mask="r" denied_mask="r" fsuid=102 ouid=0

So this is what I came up with:
--- a/debian/usr.sbin.rsyslogd
+++ b/debian/usr.sbin.rsyslogd
@@ -26,6 +26,11 @@ profile rsyslogd /usr/sbin/rsyslogd {
   /etc/rsyslog.d/ r,
   /etc/rsyslog.d/** r,
   /{,var/}run/rsyslogd.pid{,.tmp} rwk,
+
+ # LP: #2056768
+ /{,var/}run/systemd/sessions/ r,
+ /{,var/}run/systemd/sessions/* r,
+
   /var/spool/rsyslog/ r,
   /var/spool/rsyslog/** rwk,

Changed in rsyslog (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Confirmed → In Progress
Andreas Hasenack (ahasenack)
tags: added: server-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rsyslog - 8.2406.0-1ubuntu2

---------------
rsyslog (8.2406.0-1ubuntu2) oracular; urgency=medium

  * d/usr.sbin.rsyslog: add apparmor rule to allow reading systemd sessions
    (LP: #2056768)

 -- Andreas Hasenack <email address hidden> Tue, 20 Aug 2024 09:46:06 -0300

Changed in rsyslog (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.