LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 06-22-2012, 02:47 PM   #1
masuch
Member
 
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 129

Rep: Reputation: Disabled
Question usr.sbin.rsyslogd apparmor audit.log /var/rsyslog/work/dbq.00000001 problem


Hi,

I have came across audit.log file and found out errors like following:
Quote:
type=AVC msg=audit(1340393422.929:28897380): apparmor="ALLOWED" operation="mknod" parent=1 profile="/usr/sbin/rsyslogd" name="/var/rsyslog/work/dbq.00000001" pid=26871 comm=72733A616374696F6E203235207175 requested_mask="c" denied_mask="c" fsuid=101 ouid=101
type=SYSCALL msg=audit(1340393422.929:28897380): arch=c000003e syscall=2 success=no exit=-13 a0=7f77c40008c0 a1=80141 a2=180 a3=1 items=0 ppid=1 pid=26871 auid=4294967295 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 comm=72733A616374696F6E203235207175 exe="/usr/sbin/rsyslogd" key=(null)
I am not sure but is it correct fix it by adding following:
/var/rsyslog/work/** rw,
or
/var/rsyslog/** rw,
into
usr.sbin.rsyslogd ?

thank you,
kind regards,
M.
 
Old 11-04-2012, 08:35 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
I'd choose "/var/rsyslog/work/** rw" as it's more specific. Note you could also run aa-logprof on the log file (or grep relevant lines to a temporary file) and handle updating /etc/apparmor.d/usr.sbin.rsyslogd interactively.


//NTLB
 
1 members found this post helpful.
Old 11-05-2012, 09:07 AM   #3
masuch
Member
 
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 129

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
I'd choose "/var/rsyslog/work/** rw" as it's more specific. Note you could also run aa-logprof on the log file (or grep relevant lines to a temporary file) and handle updating /etc/apparmor.d/usr.sbin.rsyslogd interactively.


//NTLB
thanks for aa-logprof
 
  


Reply

Tags
apparmor, rsyslog


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Error: Cannot find 'ssh-keygen' in '/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin' venu.navat Linux - Software 3 03-08-2012 04:00 AM
[SOLVED] Logrotate - what is rotating /var/log/audit/audit.log? veeruk101 Linux - Newbie 3 11-03-2011 07:53 PM
kernel audit - var/log/messages timinator Linux - Security 1 11-13-2007 03:02 PM
var/log/messages - automount[30198]: >> /usr/sbin/showmount: can't get address nzcarrick Linux - General 0 04-19-2006 05:52 PM
/var/log/messages - kernel: audit(1107868785.573:0): avc: denied { getattr } lothario Linux - Security 2 02-10-2005 04:24 AM


All times are GMT -5. The time now is 07:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration