Ubuntu
rsyslog package

AppArmor profile prevents use of TLS keys and certificates

Bug #2072702 reported by Orion-cora
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)
New
Undecided
Unassigned

Bug Description

I'm trying to use the following configuration:

# certificate files
$DefaultNetstreamDriverCAFile /etc/ipa/ca.crt
$DefaultNetstreamDriverCertFile /etc/ssl/certs/FQDN.crt
$DefaultNetstreamDriverKeyFile /etc/ssl/private/FQDN.key

But AppArmor prevents the loading of /etc/ipa/ca.crt and the key file.

I think rsyslog-gnutls should allow reading the key file.

But perhaps /etc/ipa/ca.crt needs to be added to /etc/apparmor.d/abstractions/ssl_certs which is in the apparmor package.

Version 8.2312.0-3ubuntu9

Revision history for this message
Simon Déziel (sdeziel) wrote :

@Orion, /etc/ipa isn't a standard location. I think you'd be better off either adding a local override in /etc/apparmor.d/local/usr.sbin.rsyslogd or maybe put the CA file somewhere under /etc/rsyslog.d/. The later path is already something the rsyslogd profile allows reading.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Note also the README.apparmor[1] explanation. Packages can also install apparmor profile snippets in /etc/apparmor.d/rsyslog.d. If the default of the freeipa package (or whatever produced /etc/ipa/ca.crt) is to place certificate and keys in /etc/ipa, maybe it could ship such a profile snippet.

1. https://git.launchpad.net/ubuntu/+source/rsyslog/tree/debian/README.apparmor

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.