LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   usr.sbin.rsyslogd apparmor audit.log /var/rsyslog/work/dbq.00000001 problem (http://www.linuxquestions.org/questions/linux-newbie-8/usr-sbin-rsyslogd-apparmor-audit-log-var-rsyslog-work-dbq-00000001-problem-4175412883/)

masuch 06-22-2012 02:47 PM

usr.sbin.rsyslogd apparmor audit.log /var/rsyslog/work/dbq.00000001 problem
 
Hi,

I have came across audit.log file and found out errors like following:
Quote:

type=AVC msg=audit(1340393422.929:28897380): apparmor="ALLOWED" operation="mknod" parent=1 profile="/usr/sbin/rsyslogd" name="/var/rsyslog/work/dbq.00000001" pid=26871 comm=72733A616374696F6E203235207175 requested_mask="c" denied_mask="c" fsuid=101 ouid=101
type=SYSCALL msg=audit(1340393422.929:28897380): arch=c000003e syscall=2 success=no exit=-13 a0=7f77c40008c0 a1=80141 a2=180 a3=1 items=0 ppid=1 pid=26871 auid=4294967295 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 comm=72733A616374696F6E203235207175 exe="/usr/sbin/rsyslogd" key=(null)
I am not sure but is it correct fix it by adding following:
/var/rsyslog/work/** rw,
or
/var/rsyslog/** rw,
into
usr.sbin.rsyslogd ?

thank you,
kind regards,
M.

unSpawn 11-04-2012 08:35 AM

I'd choose "/var/rsyslog/work/** rw" as it's more specific. Note you could also run aa-logprof on the log file (or grep relevant lines to a temporary file) and handle updating /etc/apparmor.d/usr.sbin.rsyslogd interactively.


//NTLB

masuch 11-05-2012 09:07 AM

Quote:

Originally Posted by unSpawn (Post 4821905)
I'd choose "/var/rsyslog/work/** rw" as it's more specific. Note you could also run aa-logprof on the log file (or grep relevant lines to a temporary file) and handle updating /etc/apparmor.d/usr.sbin.rsyslogd interactively.


//NTLB

thanks for aa-logprof


All times are GMT -5. The time now is 11:02 PM.