add disabled by default apparmor profile

Bug #914820 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)
Fix Released
Wishlist
Jamie Strandboge
Precise
Fix Released
Wishlist
Jamie Strandboge

Bug Description

Rsyslog is a daemon installed on all Ubuntu systems and processes unfiltered input. While it has a solid design, it would be nice if we could provide an AppArmor profile for it that people can opt into. The profile can be enabled in the normal way 'sudo aa-enforce /etc/apparmor.d/usr.sbin.rsyslogd' and is expected to work in the default installation.

While it would be very desirable to turn this on by default in the future, I don't think we should for 12.04 since getting the profile wrong would result in no logging outout. Also, rsyslog is difficult to maintain because it is highly configurable, however the default profile should cover many use cases when writing files in /var/log.

Related branches

Changed in rsyslog (Ubuntu Precise):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Wishlist
milestone: none → precise-alpha-2
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rsyslog - 5.8.6-1ubuntu5

---------------
rsyslog (5.8.6-1ubuntu5) precise; urgency=low

  * Add disabled by default AppArmor profile (LP: #914820)
    - debian/rsyslog.upstart: add pre-start stanza to load profile
    - add debian/usr.sbin.rsyslogd profile
    - debian/rules: use dh_apparmor to install profile before rsyslog is
      restarted
    - debian/control: suggests apparmor (>= 2.3)
    - debian/rsyslog.install: install profile to /etc/apparmor.d
    - debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
      and /etc/apparmor.d/disable
    - debian/rsyslog.preinst: disable profile on clean install or upgrades
      from earlier than when we shipped the profile
 -- Jamie Strandboge <email address hidden> Wed, 11 Jan 2012 17:10:41 +0100

Changed in rsyslog (Ubuntu Precise):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.