add disabled by default apparmor profile
Bug #914820 reported by
Jamie Strandboge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rsyslog (Ubuntu) |
Fix Released
|
Wishlist
|
Jamie Strandboge | ||
Precise |
Fix Released
|
Wishlist
|
Jamie Strandboge |
Bug Description
Rsyslog is a daemon installed on all Ubuntu systems and processes unfiltered input. While it has a solid design, it would be nice if we could provide an AppArmor profile for it that people can opt into. The profile can be enabled in the normal way 'sudo aa-enforce /etc/apparmor.
While it would be very desirable to turn this on by default in the future, I don't think we should for 12.04 since getting the profile wrong would result in no logging outout. Also, rsyslog is difficult to maintain because it is highly configurable, however the default profile should cover many use cases when writing files in /var/log.
Related branches
Changed in rsyslog (Ubuntu Precise): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → Wishlist |
milestone: | none → precise-alpha-2 |
status: | New → In Progress |
To post a comment you must log in.
This bug was fixed in the package rsyslog - 5.8.6-1ubuntu5
---------------
rsyslog (5.8.6-1ubuntu5) precise; urgency=low
* Add disabled by default AppArmor profile (LP: #914820) rsyslog. upstart: add pre-start stanza to load profile usr.sbin. rsyslogd profile rsyslog. install: install profile to /etc/apparmor.d rsyslog. dirs: install /etc/apparmor. d/force- complain, d/disable rsyslog. preinst: disable profile on clean install or upgrades
- debian/
- add debian/
- debian/rules: use dh_apparmor to install profile before rsyslog is
restarted
- debian/control: suggests apparmor (>= 2.3)
- debian/
- debian/
and /etc/apparmor.
- debian/
from earlier than when we shipped the profile
-- Jamie Strandboge <email address hidden> Wed, 11 Jan 2012 17:10:41 +0100