[SOLVED] usr.sbin.rsyslogd apparmor audit.log /var/rsyslog/work/dbq.00000001 problem

masuch · 06-22-2012, 02:47 PM

Hi,

I have came across audit.log file and found out errors like following:

Quote:

type=AVC msg=audit(1340393422.929:28897380): apparmor="ALLOWED" operation="mknod" parent=1 profile="/usr/sbin/rsyslogd" name="/var/rsyslog/work/dbq.00000001" pid=26871 comm=72733A616374696F6E203235207175 requested_mask="c" denied_mask="c" fsuid=101 ouid=101
type=SYSCALL msg=audit(1340393422.929:28897380): arch=c000003e syscall=2 success=no exit=-13 a0=7f77c40008c0 a1=80141 a2=180 a3=1 items=0 ppid=1 pid=26871 auid=4294967295 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 comm=72733A616374696F6E203235207175 exe="/usr/sbin/rsyslogd" key=(null)

I am not sure but is it correct fix it by adding following:
/var/rsyslog/work/** rw,
or
/var/rsyslog/** rw,
into
usr.sbin.rsyslogd ?

thank you,
kind regards,
M.

unSpawn · 11-04-2012, 08:35 AM

I'd choose "/var/rsyslog/work/** rw" as it's more specific. Note you could also run aa-logprof on the log file (or grep relevant lines to a temporary file) and handle updating /etc/apparmor.d/usr.sbin.rsyslogd interactively.

//NTLB

masuch · 11-05-2012, 09:07 AM

Quote:

Originally Posted by unSpawn

I'd choose "/var/rsyslog/work/** rw" as it's more specific. Note you could also run aa-logprof on the log file (or grep relevant lines to a temporary file) and handle updating /etc/apparmor.d/usr.sbin.rsyslogd interactively.

//NTLB

thanks for aa-logprof