Question

Can I use AppArmor with syslog-ng?

Answer

Yes, with some limitations. Those Linux distributions, which have AppArmor enabled, have also a profile for syslog-ng, which covers the syslog-ng version and configuration included in the distribution. What it means in practice, that syslog-ng installed from distribution sources and using default configuration works fine, and enjoys AppArmor protection. As soon as one starts to change syslog-ng.conf it is easy to run into problems. AppArmor protection is based on directory and file names. If syslog-ng is not installed to the distribution default location, usually ''/sbin/syslog-ng'', then syslog-ng is not protected / limited by AppArmor.

Modifying AppArmor settings

AppArmor settings for different applications are stored in so called ''profiles''. These can usually be found in the directory called ''/etc/apparmor.d/''. Profile names are derived from from path and application names, just slashes are replaced by dots. So for syslog-ng it is usually ''sbin.syslog-ng''. It has usually some comments and copyright info at top, then some includes, capabilities and then access control to files and directories. This is where additional entries should be added, if log files outside of /var/log should be read or written by syslog-ng. For example to write logs to ''/opt/myapp/logs/iwantlogshere.log'' add the following line: /opt/myapp/logs/iwantlogshere.log rw, Or if only read-only access is necessary, as the file is read by syslog-ng, processed and forwarded somewhere, then replace '''rw''' with '''r'''. Once a profile is modified, AppArmor should be restarted. There are some advanced syslog-ng features, for which it is quite difficult to add AppArmor protection. A prime example is the program() destination, where the called application either runs unprotected or a separate profile needs to be created. Calling external applications is tested to work with AppArmor v2.5 but did not work at all with version 2.3. See ''man apparmor.d'' for details on different execution permissions.

Protecting .run OSE (and PE) installs

It is also possible to protect OSE and PE .run installs with AppArmor. It has the same limitations as the profile in the base system: it only covers a basic configuration which might need to be modified for advanced setups. The following example configuration was tested on openSUSE 11.4 with syslog-ng OSE 3.1.4 .run installer. It is derived from the base syslog-ng profile, but modified to be used with the .run installed syslog-ng. It needs to be placed in the ''/etc/apparmor.d/'' directory under the name ''opt.syslog-ng.sbin.syslog-ng''. It should be useful directly or with minor modifications for other syslog-ng versions and on other AppArmor based distributions.

 #include <tunables/global> 
 
 /opt/syslog-ng/sbin/syslog-ng { 
  #include <abstractions/base> 
  #include <abstractions/consoles> 
  #include <abstractions/nameservice> 
  #include <abstractions/mysql> 

  capability chown, 
  capability dac_override, 
  capability fsetid, 
  capability fowner, 
  capability sys_tty_config, 
  capability sys_resource, 
  capability sys_admin, 
  capability syslog, 
 
  /dev/log rw, 
  /dev/syslog w, 
  /dev/tty* rw, 
  /dev/xconsole rw, 
  /opt/syslog-ng/etc/** r, 
  /proc/kmsg r, 
  /etc/hosts.deny r, 
  /etc/hosts.allow r, 
  /opt/syslog-ng/sbin/syslog-ng mr, 
  /opt/syslog-ng/libexec/syslog-ng ix, 
  /opt/syslog-ng/lib/** mr, 
  /opt/syslog-ng/share/** r, 
  /opt/syslog-ng/var/syslog-ng.persist* rw, 
  /var/log/** w, 
  /opt/syslog-ng/var/run/syslog-ng.pid krw, 
  /opt/syslog-ng/var/run/syslog-ng.ctl rw, 

 }