Accepting request 241312 from home:jsegitz:rsyslog_apparmor

- Preliminary AppArmor support. Since those profiles need to be tested properly they'll live in /etc/apparmor/profiles/extras. - Added rsyslog-pid-file.patch to fix a regression that causes the pid file to be created in /etc OBS-URL: https://build.opensuse.org/request/show/241312 OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=194
2014-07-21 13:08:22 +00:00 · 2014-07-21 13:08:22 +00:00 · 3b25bc6d63
commit 3b25bc6d63
parent f5c79cf5c7
11 changed files with 158 additions and 1 deletions
--- a/3
+++ b/3
@ -0,0 +1,3 @@
+  # rsyslog-module-gssapi
+  # couldn't test because not kerberos server is available
+  # but it shouldn't require any special permissions anyhow
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+  # for logging via TLS (rsyslog-module-gtls)
+  # keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
+  # rsyslog tries to write to the certificates for no reason, so deny this quietly
+  deny /etc/rsyslog.d/* w,
--- a/6
+++ b/6
@ -0,0 +1,6 @@
+  # for logging to mysql DB (rsyslog-module-mysql)
+  #include <abstractions/mysql>
+  #include <abstractions/p11-kit>
+  /etc/my.cnf r,
+  /etc/my.cnf.d/ r,
+  /etc/my.cnf.d/default_plugins.cnf r,
--- a/1
+++ b/1
@ -0,0 +1 @@
+  # for logging to postgresql (rsyslog-module-pgsql)
--- a/1
+++ b/1
@ -0,0 +1 @@
+  # for logging via relp (rsyslog-module-relp)
--- a/7
+++ b/7
@ -0,0 +1,7 @@
+  # for logging to (rsyslog-module-snmp)
+  #include <abstractions/wutmp>
+  /proc/uptime r,
+  /usr/share/snmp/mibs/ r,
+  /usr/share/snmp/mibs/*.txt r,
+  /var/lib/net-snmp/mib_indexes/ rw,
+  /var/lib/net-snmp/mib_indexes/* rw,
--- a/3
+++ b/3
@ -0,0 +1,3 @@
+  # for logging with omudpspoof (rsyslog-module-udpspoof)
+  capability net_raw,
+  network inet raw,
--- a/rsyslog-pid-file.patch
+++ b/rsyslog-pid-file.patch
@ -0,0 +1,27 @@
+Index: rsyslog-8.2.2/tools/syslogd.c
+===================================================================
+--- rsyslog-8.2.2.orig/tools/syslogd.c
+++ rsyslog-8.2.2/tools/syslogd.c
+@@ -133,19 +133,14 @@ rsRetVal rsyslogdInit(void);
+ void rsyslogdDebugSwitch();
+ void rsyslogdDoDie(int sig);
+ 
+-
+-#if defined(SYSLOGD_PIDNAME)
+-#	undef _PATH_LOGPID
+-#	define _PATH_LOGPID "/etc/" SYSLOGD_PIDNAME
+-#else
+-#	ifndef _PATH_LOGPID
+-#		define _PATH_LOGPID "/etc/rsyslogd.pid"
+-#	endif
+#ifndef _PATH_LOGPID                                                                                                              
+# define _PATH_LOGPID "/var/run/rsyslogd.pid"  
+ #endif
+ 
+ #ifndef _PATH_TTY
+ #	define _PATH_TTY	"/dev/tty"
+ #endif
+
+ char	*PidFile = _PATH_LOGPID; /* read-only after startup */
+ 
+ int bHadHUP = 0; 	/* did we have a HUP? */
--- a/rsyslog.changes
+++ b/rsyslog.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Jul 16 15:17:34 UTC 2014 - jsegitz@suse.com
+
+- Preliminary AppArmor support. Since those profiles need to be tested
+  properly they'll live in /etc/apparmor/profiles/extras.
+- Added rsyslog-pid-file.patch to fix a regression that causes the pid
+  file to be created in /etc
+
 -------------------------------------------------------------------
 Wed Jun  4 19:40:26 UTC 2014 - andreas.stieger@gmx.de

--- a/rsyslog.spec
+++ b/rsyslog.spec
@ -41,7 +41,7 @@ Release:        0
 %else
 %bcond_with     journal
 %endif
-%bcond_with  gssapi
+%bcond_with     gssapi
 %bcond_without  gnutls
 %bcond_without  gcrypt
 %bcond_without  guardtime
@ -172,8 +172,27 @@ Source1:        rsyslog.sysconfig
 Source2:        rsyslog.conf.in
 Source4:        rsyslog.d.remote.conf.in
 Source5:        rsyslog-service-prepare.in
+Source6:        usr.sbin.rsyslogd
+Source7:        module-gssapi
+Source8:        module-gtls
+Source9:        module-mysql
+Source10:       module-pgsql
+Source11:       module-relp
+Source12:       module-snmp
+Source13:       module-udpspoof
+
 # PATCH-FIX-OPENSUSE rsyslog-unit.patch crrodriguez@opensuse.org Customize upstream systemd unit for openSUSE needs.
 Patch0:         rsyslog-unit.patch
+# PATCH-FIX-UPSTREAM rsyslog-pid-file.patch jsegitz@suse.com Fixes https://github.com/rsyslog/rsyslog/issues/86, can probably be removed after 8.2.2
+Patch1:         rsyslog-pid-file.patch
+
+# this is a dirty hack since % dir does only work for the specified directory and nothing above
+# but I want to be able to switch this to /etc/apparmor.d once the profiles received more testing
+%define APPARMOR_PROFILE_PATH /etc/apparmor/profiles/extras
+%define APPARMOR_PROFILE_PATH_DIR_COMMANDS %dir /etc/apparmor/ \
+                                           %dir /etc/apparmor/profiles \
+                                           %dir /etc/apparmor/profiles/extras \
+                                           %dir /etc/apparmor/profiles/extras/rsyslog.d

 %description
 Rsyslog is an enhanced multi-threaded syslogd supporting, among others,
@ -450,6 +469,7 @@ This module provides support for ZeroMQ.
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch0 -p1
+%patch1 -p1
 #
 %if %{with systemd}
 for file in rsyslog-service-prepare; do
@ -677,6 +697,29 @@ install -m644 plugins/ompgsql/createDB.sql \
 install -d -m0755 %{buildroot}%{rsyslog_rundir}
 touch %{buildroot}%{rsyslog_sockets_cfg}
 chmod 644 %{buildroot}%{rsyslog_sockets_cfg}
+mkdir -p %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+install -m0640 %{SOURCE6} %{buildroot}%{APPARMOR_PROFILE_PATH}/
+%if %{with gssapi}
+  install -m0640 %{SOURCE7} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with gnutls}
+  install -m0640 %{SOURCE8} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with mysql}
+  install -m0640 %{SOURCE9} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with pgsql}
+  install -m0640 %{SOURCE10} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with relp}
+  install -m0640 %{SOURCE11} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with snmp}
+  install -m0640 %{SOURCE12} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif
+%if %{with udpspoof}
+  install -m0640 %{SOURCE13} %{buildroot}%{APPARMOR_PROFILE_PATH}/rsyslog.d/
+%endif

 %clean
 if [ -n "%{buildroot}" ] && [ "%{buildroot}" != "/" ] ; then
@ -883,6 +926,8 @@ fi
 %{_unitdir}/rsyslog.service
 %{_sbindir}/rc%{name}
 %endif
+%{APPARMOR_PROFILE_PATH_DIR_COMMANDS}
+%config %{APPARMOR_PROFILE_PATH}/usr.sbin.rsyslogd

 %if %{with diagtools}

@ -901,6 +946,7 @@ fi
 %{rsyslog_module_dir_withdeps}/omgssapi.so
 %{rsyslog_module_dir_withdeps}/imgssapi.so
 %{rsyslog_module_dir_withdeps}/lmgssutil.so
+%config  %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gssapi
 %endif

 %if %{with mysql}
@ -909,6 +955,7 @@ fi
 %defattr(-,root,root)
 %doc %{rsyslogdocdir}/mysql-createDB.sql
 %{rsyslog_module_dir_withdeps}/ommysql.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-mysql
 %endif

 %if %{with pgsql}
@ -917,6 +964,7 @@ fi
 %defattr(-,root,root)
 %doc %{rsyslogdocdir}/pgsql-createDB.sql
 %{rsyslog_module_dir_withdeps}/ompgsql.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-pgsql
 %endif

 %if %{with dbi}
@ -932,6 +980,7 @@ fi
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/omsnmp.so
 %{rsyslog_module_dir_nodeps}/mmsnmptrapd.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-snmp
 %endif

 %if %{with gnutls}
@ -939,6 +988,7 @@ fi
 %files module-gtls
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/lmnsd_gtls.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-gtls
 %endif

 %if %{with relp}
@ -947,6 +997,7 @@ fi
 %defattr(-,root,root)
 %{rsyslog_module_dir_withdeps}/imrelp.so
 %{rsyslog_module_dir_withdeps}/omrelp.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-relp
 %endif

 %if %{with mmnormalize}
@ -963,6 +1014,7 @@ fi
 %files module-udpspoof
 %defattr(-,root,root)
 %{rsyslog_module_dir_nodeps}/omudpspoof.so
+%config %{APPARMOR_PROFILE_PATH}/rsyslog.d/module-udpspoof
 %endif

 %if %{with elasticsearch}
--- a/usr.sbin.rsyslogd
+++ b/usr.sbin.rsyslogd
@ -0,0 +1,45 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2014 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/rsyslogd {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  # general networking is allowed here
+  #include <abstractions/nameservice>
+
+  capability block_suspend,
+  capability dac_override,
+  capability sys_nice,
+  capability sys_tty_config,
+  capability syslog,
+
+  /dev/tty* w,
+  /dev/xconsole rw,
+
+  /etc/rsyslog.conf r,
+  /etc/rsyslog.d/ r,
+  /etc/rsyslog.d/* r,
+
+  /usr/lib{,32,64}/rsyslog/* mr,
+  /usr/sbin/rsyslogd mr,
+
+  /var/log/** rw,
+
+  /proc/kmsg r,
+
+  /{var/,}run/rsyslog/* r,
+  /{var/,}run/rsyslogd.pid rwk,
+  /{var/,}run/systemd/journal/syslog w,
+
+  # include rules for rsyslog-module-* packages
+  #include <rsyslog.d>
+}
				`@ -0,0 +1 @@`
				`# for logging to postgresql (rsyslog-module-pgsql)`
				`@ -0,0 +1 @@`
				`# for logging via relp (rsyslog-module-relp)`